GHSA-mj73-j457-8x9q

Suggest an improvement
Source
https://github.com/advisories/GHSA-mj73-j457-8x9q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mj73-j457-8x9q/GHSA-mj73-j457-8x9q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mj73-j457-8x9q
Aliases
Published
2025-12-02T00:29:11Z
Modified
2025-12-02T06:12:51.480951Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe
Details

maxminddb prior to version 0.27 declared Reader::open_mmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-915"
    ],
    "severity": "LOW",
    "github_reviewed_at": "2025-12-02T00:29:11Z"
}
References

Affected packages

crates.io / maxminddb

Package

Name
maxminddb
View open source insights on deps.dev
Purl
pkg:cargo/maxminddb

Affected ranges

Type
SEMVER
Events
Introduced
0.11.0
Fixed
0.27.0