7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29935

GHSA ID

GHSA-vcw4-8ph6-7vw8

EPSS Score

0.60529%

CWE

CWE-416

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29935

CVE-2021-29935:
Use after free in Rocket

Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function.

This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop, however, a function f was called that could invoke a user provided function.

If the user provided panicked, then the assumption used by the function was no longer true and the transmute to &'static would create an illegal static reference to the string. This could result in a freed string being used during (such as in a Drop implementation) or after (e.g through catch_unwind) the panic unwinding.

This flaw was corrected in commit e325e2f by using a guard object to ensure that the &'static str was dropped inside the function.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29935

GHSA ID

GHSA-vcw4-8ph6-7vw8

EPSS Score

0.60529%

CWE

CWE-416

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rocket	rust	< 0.4.7	0.4.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the original implementation of 'with_prefix' which performed unsafe lifetime manipulation via transmute and lacked panic safety. The function's control flow allowed user-provided code (through callback 'f') to execute between push/pop operations on the prefixes stack. The commit diff shows the fix involved introducing a guard pattern with Drop implementation to ensure stack cleanup even during panics, confirming the original function's unsafe structure. The test case added in the commit specifically demonstrates how a panic during this window could lead to use-after-free via the prefixes stack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* tr*nsmut** * &str to * &'st*ti* str ***or* pus*in* it into * St**kV**, t*is v*lu* w*s t**n popp** l*t*r in t** s*m* *un*tion. T*is w*s *ssum** to ** s*** ****us* t** r***r*n** woul* ** v*li* w*il* t** m*t*o*'s st**k w

Reasoning

T** vuln*r**ility st*ms *rom t** ori*in*l impl*m*nt*tion o* 'wit*_pr**ix' w*i** p*r*orm** uns*** li**tim* m*nipul*tion vi* tr*nsmut* *n* l**k** p*ni* s***ty. T** *un*tion's *ontrol *low *llow** us*r-provi*** *o** (t*rou** **ll***k '*') to *x**ut* **t

7.3

Basic Information

Concerned about an active attack path?

CVE-2021-29935: Use after free in Rocket

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-29935:
Use after free in Rocket

Vulnerability Intelligence
Miggo AI