Miggo Logo
Miggo Vulnerability Database
CVE-2021-45719

CVE-2021-45719:
Use After Free in rusqlite

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-45719
GHSA ID
GHSA-g87r-23vw-7f87
EPSS Score
0.51056%
CWE
CWE-416
Published
1/6/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rusqliterust>= 0.25.0, < 0.25.40.25.4
rusqliterust>= 0.26.0, < 0.26.20.26.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect lifetime bounds on closure parameters in various hook/function registration methods. The RustSec advisory (RUSTSEC-2021-0128) explicitly lists these functions as vulnerable due to their ability to accept closures that might capture stack-allocated values. The GitHub issue #1048 demonstrates a concrete use-after-free scenario with update_hook, and the advisory explains the pattern applies to all listed functions that register callbacks with SQLite. The functions are grouped by feature flags (hooks/functions/collation) but share the same core lifetime management flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** rusqlit* *r*t* *.**.x ***or* *.**.* *n* *.**.x ***or* *.**.* *or Rust. up**t*_*ook **s * us*-**t*r-*r**.

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t li**tim* *oun*s on *losur* p*r*m*t*rs in v*rious *ook/*un*tion r**istr*tion m*t*o*s. T** RustS** **visory (RUSTS**-****-****) *xpli*itly lists t**s* *un*tions *s vuln*r**l* *u* to t**ir **ility to ****pt *losur*