Miggo Logo
Miggo Vulnerability Database
GHSA-m325-rxjv-pwph

GHSA-m325-rxjv-pwph: Deserialization functions pass uninitialized memory to user-provided Read

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-m325-rxjv-pwph
EPSS Score
-
CWE
-
Published
6/17/2022
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
messagepack-rsrust<= 0.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a pattern where: 1) Vectors are created with capacity 2) Unsafe set_len() is used to expand without initialization 3) The uninitialized buffer is passed to read_exact(). This violates Rust's safety requirements as per Read trait documentation. Multiple independent sources (GitHub advisory, RustSec advisory, and issue #2) explicitly name these four functions and show code examples demonstrating the unsafe pattern. The file path is confirmed through code snippets in the GitHub issue discussion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* p*ss** *n uniniti*liz** *u***r to * us*r-provi*** `R***` inst*n** in: * `**s*ri*liz*_*in*ry` * `**s*ri*liz*_strin*` * `**s*ri*liz*_*xt*nsion_ot**rs` * `**s*ri*liz*_strin*_primitiv*` T*is **n r*sult in s*** `R***` imp

Reasoning

T** vuln*r**ility st*ms *rom * p*tt*rn w**r*: *) V**tors *r* *r**t** wit* **p**ity *) Uns*** s*t_l*n() is us** to *xp*n* wit*out initi*liz*tion *) T** uniniti*liz** *u***r is p*ss** to r***_*x**t(). T*is viol*t*s Rust's s***ty r*quir*m*nts *s p*r R**