Miggo Logo

CVE-2020-35927: Data races in thex

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.16805%
Published
8/25/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
thexrust<= 0.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from the improper Sync trait implementation for Thex<T>. In Rust, Sync indicates a type can be safely shared between threads via references. However, the implementation lacked a T: Send bound, violating Rust's safety guarantees. This allows Thex<T> to be marked as thread-safe (Sync) even when containing non-Send types like Rc, enabling cross-thread data races. The advisory explicitly identifies this missing bound as the root cause, making the Sync trait implementation the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** t**x *r*t* t*rou** ****-**-** *or Rust. T**x<T> *llows *ross-t*r*** **t* r***s o* non-S*n* typ*s.

Reasoning

T** *or* vuln*r**ility st*ms *rom t** improp*r Syn* tr*it impl*m*nt*tion *or T**x<T>. In Rust, Syn* in*i**t*s * typ* **n ** s***ly s**r** **tw**n t*r***s vi* r***r*n**s. *ow*v*r, t** impl*m*nt*tion l**k** * `T: S*n*` *oun*, viol*tin* Rust's s***ty *u