Miggo Logo

CVE-2021-29940: Double free in through

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.65141%
Published
8/25/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
throughrust<= 0.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly names both through() and through_and() as vulnerable entry points. The root cause is their use of ptr::read to create duplicate ownership without proper panic safety guards. When the user-provided closure panics, both the original value and the ptr::read copy get dropped. The reproduction example demonstrates this with through::through, and the advisory confirms the same pattern exists in through_and. The file path is inferred as src/lib.rs as this is the standard entry point for Rust crates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** t*rou** *r*t* t*rou** ****-**-** *or Rust. T**r* is * *ou*l* *r** (in t*rou** *n* t*rou**_*n*) upon * p*ni* o* t** m*p *un*tion.

Reasoning

T** **visory *xpli*itly n*m*s *ot* t*rou**() *n* t*rou**_*n*() *s vuln*r**l* *ntry points. T** root **us* is t**ir us* o* ptr::r*** to *r**t* *upli**t* own*rs*ip wit*out prop*r p*ni* s***ty *u*r*s. W**n t** us*r-provi*** *losur* p*ni*s, *ot* t** ori*