N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-ghc8-5cgm-5rpf

EPSS Score

CWE

Published

9/11/2023

Updated

9/11/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-ghc8-5cgm-5rpf

GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

Affected versions allow arbitrary caller-provided code to execute before the lifetime of main.

If the caller-provided code accesses particular pieces of the standard library that require an initialized Rust runtime, such as std::io or std::thread, these may not behave as documented. Panics are likely; UB is possible.

The flaw was corrected by enforcing that only code written within the inventory crate, which is guaranteed not to access runtime-dependent parts of the standard library, runs before main. Caller-provided code is restricted to running at compile time.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-ghc8-5cgm-5rpf

EPSS Score

CWE

Published

9/11/2023

Updated

9/11/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
inventory	rust	< 0.2.0	0.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key functions:

inventory::submit - Public API entry point that accepted arbitrary user values through submit! macro expansions. These values were executed in #[ctor] initializers before main.
Registry::submit - Internal method that processed dynamically allocated nodes, enabling runtime-linked list manipulation before standard library initialization.

The patch (b853350) addressed this by:

Removing inventory::submit
Requiring const construction via ErasedNode
Replacing Box<Node<T>> with static Node using const expressions This restricted execution to compile-time only, preventing pre-main runtime code execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions *llow *r*itr*ry **ll*r-provi*** *o** to *x**ut* ***or* t** li**tim* o* `m*in`. I* t** **ll*r-provi*** *o** ****ss*s p*rti*ul*r pi***s o* t** st*n**r* li*r*ry t**t r*quir* *n initi*liz** Rust runtim*, su** *s `st*::io` or `st*::t*r*

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *un*tions: *. inv*ntory::su*mit - Pu*li* *PI *ntry point t**t ****pt** *r*itr*ry us*r v*lu*s t*rou** su*mit! m**ro *xp*nsions. T**s* v*lu*s w*r* *x**ut** in #[*tor] initi*liz*rs ***or* m*in. *. R**istry::su*mit

N/A

Basic Information

Concerned about an active attack path?

GHSA-ghc8-5cgm-5rpf: Inventory fails to prohibit standard library access prior to initialization of Rust standard library runtime

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI