GHSA-2326-pfpj-vx3h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2326-pfpj-vx3h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2326-pfpj-vx3h
- Aliases
- Related
- Published
- 2024-09-16T17:19:01Z
- Modified
- 2025-10-28T06:29:22.520758Z
- Summary
- lexical-core has multiple soundness issues
- Details
-
RUSTSEC-2024-0377contains multiple soundness issues:- Bytes::read() allows creating instances of types with invalid bit patterns
- BytesIter::read() advances iterators out of bounds
- The <code>BytesIter</code> trait has safety invariants but is public and not marked <code>unsafe</code>
- <code>write_float()</code> calls <code>MaybeUninit::assume_init()</code> on uninitialized data, which is is not allowed by the Rust abstract machine
- <code>radix()</code> calls <code>MaybeUninit::assume_init()</code> on uninitialized data, which is is not allowed by the Rust abstract machine
Version 1.0 fixes these issues, removes the vast majority of
unsafecode, and also fixes some correctness issues. - Database specific
{ "github_reviewed": true, "cwe_ids": [], "github_reviewed_at": "2024-09-16T17:19:01Z", "nvd_published_at": null, "severity": "LOW" }- References
-
- https://github.com/Alexhuszagh/rust-lexical/issues/101
- https://github.com/Alexhuszagh/rust-lexical/issues/102
- https://github.com/Alexhuszagh/rust-lexical/issues/104
- https://github.com/Alexhuszagh/rust-lexical/issues/126
- https://github.com/Alexhuszagh/rust-lexical/issues/95
- https://github.com/Alexhuszagh/rust-lexical
- https://github.com/advisories/GHSA-c2hm-mjxv-89r4
- https://rustsec.org/advisories/RUSTSEC-2023-0055
- https://rustsec.org/advisories/RUSTSEC-2023-0086.html
Affected packages
crates.io / lexical-core
Package
- Name
- lexical-core
- View open source insights on deps.dev
- Purl
- pkg:cargo/lexical-core