-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, a panic due to lack of bounds checking, is primarily located in the get_id3 function in src/metadata.rs. The patch diff clearly shows the addition of a bounds check (v.get_mut(new_pos)) before a write operation (v[new_pos] = 0xFF;) that was previously unchecked. This directly pinpoints get_id3 as the function containing the flawed logic. The vulnerability description explicitly states that get_id3 is used by mp3_metadata::read_from_slice(). read_from_slice is a public function that takes the raw byte input and initiates the parsing process which includes calling get_id3. Therefore, read_from_slice is the function that handles potentially malicious input and would be on the call stack leading to the panic. Both functions are critical for understanding the vulnerability's trigger and location.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mp3-metadata | rust | < 0.4.0 | 0.4.0 |
RustRustOngoing coverage of React2Shell