Fluid Attacks Database

Description

rust-openssl Use-After-Free in Md::fetch and Cipher::fetch When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	openssl	>=0.10.39 <0.10.72	0.10.72

Aliases

1. GCVE-GHSA-4fcv-w3qc-ppgg

References

1. https://github.com/sfackler/rust-openssl/pull/23902. https://github.com/sfackler/rust-openssl/commit/87085bd67896b7f92e6de35d081f607a334beae43. https://rustsec.org/advisories/RUSTSEC-2025-0022.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.