Miggo Logo

CVE-2021-45690: Use of Uninitialized Resource in messagepack-rs.

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.61972%
Published
1/6/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
messagepack-rsrust<= 0.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from 4 functions that:

  1. Create a Vec buffer with capacity
  2. Use unsafe { set_len } to expand without initialization
  3. Pass the uninitialized buffer to Read::read_exact

This violates Rust's safety requirements as Read implementations expect initialized buffers. The advisory explicitly lists these functions, and code examples confirm the unsafe pattern. The GitHub issue #2 provides direct evidence of the vulnerable code patterns in deserialize_binary/string, and the advisory extends this to include deserialize_extension_others and deserialize_string_primitive with the same vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** m*ss***p**k-rs *r*t* t*rou** ****-**-** *or Rust. **s*ri*liz*_*in*ry m*y r*** *rom uniniti*liz** m*mory lo**tions.

Reasoning

T** vuln*r**ility st*ms *rom * *un*tions t**t: *. *r**t* * V** *u***r wit* **p**ity *. Us* uns*** { s*t_l*n } to *xp*n* wit*out initi*liz*tion *. P*ss t** uniniti*liz** *u***r to R***::r***_*x**t T*is viol*t*s Rust's s***ty r*quir*m*nts *s R*** imp