N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-h6xm-c6r4-vmwf

EPSS Score

CWE

Published

12/23/2024

Updated

12/23/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-h6xm-c6r4-vmwf

GHSA-h6xm-c6r4-vmwf: Unsound usages of `u8` type casting in spl-token-swap

The library provides a safe public API unpack to cast u8 array to arbitrary types, which can cause to undefined behaviors. The length check of array can only prevent out-of-bound access on the return type. However, it can't prevent misaligned pointer when casting u8 pointer to a type aligned to larger bytes. For example, if we assign u16 to T, misaligned raw pointer dereference could happen and cause to panic. Even if we pass the type aligned to same byte as u8 (e.g., bool), it could construct a illegal type since bool can only have 0 or 1 as bit patterns, which is also an undefined behavior. The further exploits of the bug here are still not clear, so we would report this issue as unsound.

The details of PoC to reproduce undefined behavior are provided in the issue.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-h6xm-c6r4-vmwf

EPSS Score

CWE

Published

12/23/2024

Updated

12/23/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
spl-token-swap	rust	<= 3.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description and GitHub issue explicitly reference the unpack function in instruction.rs as the source of unsoundness. The code shown in the issue demonstrates unsafe pointer casting with &*(&input[1] as *const u8 as *const T) which bypasses Rust's safety checks for alignment and valid bit patterns. The provided PoC examples with bool and u16 demonstrate concrete UB scenarios. The combination of unsafe pointer manipulation in a public API without proper alignment checks or value validation matches the described vulnerability characteristics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** li*r*ry provi**s * s*** pu*li* *PI `unp**k` to **st `u*` *rr*y to *r*itr*ry typ*s, w*i** **n **us* to un***in** ****viors. T** l*n*t* ****k o* *rr*y **n only pr*v*nt out-o*-*oun* ****ss on t** r*turn typ*. *ow*v*r, it **n't pr*v*nt mis*li*n** poi

Reasoning

T** vuln*r**ility **s*ription *n* *it*u* issu* *xpli*itly r***r*n** t** `unp**k` *un*tion in instru*tion.rs *s t** sour** o* unsoun*n*ss. T** *o** s*own in t** issu* **monstr*t*s uns*** point*r **stin* wit* `&*(&input[*] *s **onst u* *s **onst T)` w*

N/A

Basic Information

Concerned about an active attack path?

GHSA-h6xm-c6r4-vmwf: Unsound usages of `u8` type casting in spl-token-swap

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI