N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-ghc8-5cgm-5rpf

EPSS Score

CWE

Published

9/11/2023

Updated

9/11/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-ghc8-5cgm-5rpf

GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main.

If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are likely; UB is possible.

The flaw was corrected by enforcing that only code written within the inventory crate, which is guaranteed not to access runtime-dependent parts of the standard library, runs before main. Caller-provided code is restricted to running at compile time.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-ghc8-5cgm-5rpf

GHSA-ghc8-5cgm-5rpf:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-ghc8-5cgm-5rpf

EPSS Score

CWE

Published

9/11/2023

Updated

9/11/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
inventory	rust	< 0.2.0	0.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key functions:

inventory::submit - Public API entry point that accepted arbitrary user values through submit! macro expansions. These values were executed in #[ctor] initializers before main.
Registry::submit - Internal method that processed dynamically allocated nodes, enabling runtime-linked list manipulation before standard library initialization.

The patch (b853350) addressed this by:

Removing inventory::submit
Requiring const construction via ErasedNode
Replacing Box<Node<T>> with static Node using const expressions This restricted execution to compile-time only, preventing pre-main runtime code execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

GHSA-ghc8-5cgm-5rpf:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Basic Information

Basic Information

GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI