-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
RustRustMiggo AIRoot Cause AnalysisThe vulnerability exists in the fast-able crate, specifically within the SyncVec::get_unchecked method. The RustSec advisory RUSTSEC-2025-0063 explicitly identifies fast_able::vec::SyncVec::get_unchecked as the affected function. The vulnerability arises because this function was declared as a safe public API, yet it internally used slice::get_unchecked, which is an unsafe operation. This means that a user of the fast-able crate could call get_unchecked with an out-of-bounds index, triggering undefined behavior, which in this case is an out-of-bounds read leading to a process crash (Denial of Service). The patch for this vulnerability, found by inspecting the repository history around the patched version, changes the function signature from pub fn to pub unsafe fn. This change doesn't fix the out-of-bounds read itself but transfers the responsibility of ensuring the index is valid to the caller, which is the standard and correct way to handle such potentially dangerous operations in Rust. Any user of this function must now use an unsafe block, signaling that they are upholding the necessary safety invariants.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| fast-able | rust | < 1.13.7 | 1.13.7 |
Ongoing coverage of React2Shell