GHSA-5w5r-mf82-595p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5w5r-mf82-595p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-5w5r-mf82-595p/GHSA-5w5r-mf82-595p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5w5r-mf82-595p
- Aliases
- Published
- 2026-01-28T16:06:09Z
- Modified
- 2026-02-03T03:06:53.944791Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Cap'n Proto has Undefined Behavior in constant::Reader and StructSchema
- Details
-
The safe API functions
constant::Reader::getandStructSchema::newrely onPointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.Reader::getpub fn get(&self) -> Result<<T as Owned>::Reader<'static>> { // ... // UNSAFE: access `words` without validation }StructSchema::newpub fn new(builder: RawBrandedStructSchema) -> StructSchema { // ... // UNSAFE: access encoded nodes without validation }This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.
The issue is resolved in version
0.24.0by making constructor functions unsafe and mark the fields of struct as visible only in the crate. - Database specific
{ "cwe_ids": [ "CWE-758" ], "github_reviewed_at": "2026-01-28T16:06:09Z", "nvd_published_at": null, "severity": "CRITICAL", "github_reviewed": true }- References
-
- https://github.com/capnproto/capnproto-rust/issues/605
- https://github.com/capnproto/capnproto-rust/commit/7b981f4c75a975c80444cd38729bcdf12bf3eabf
- https://github.com/capnproto/capnproto-rust/commit/e3aeec213e6d1b30a182bf61682a370f20d8a02c
- https://github.com/capnproto/capnproto-rust
- https://rustsec.org/advisories/RUSTSEC-2025-0143.html
Affected packages
crates.io / capnp
Package
- Name
- capnp
- View open source insights on deps.dev
- Purl
- pkg:cargo/capnp