N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-mj73-j457-8x9q

GHSA-mj73-j457-8x9q: maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe

maxminddb prior to version 0.27 declared Reader::open_mmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-mj73-j457-8x9q

GHSA-mj73-j457-8x9q:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
maxminddb	rust	>= 0.11.0, < 0.27.0	0.27.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the maxminddb Rust crate, specifically in the Reader::open_mmap function. This function provides a way to open a MaxMind DB file using memory mapping. The underlying memmap2::MmapOptions::map operation is unsafe because modifying the file on disk while it's memory-mapped can lead to undefined behavior (like a crash or memory corruption). The maxminddb crate initially declared Reader::open_mmap as a safe function, which is incorrect as it doesn't add any safety guarantees on top of the unsafe mmap call. This gives a false sense of security to the users of the library. The patch addresses this by marking Reader::open_mmap as unsafe, which correctly signals to the user that they are responsible for ensuring the file is not modified while the memory map is active. The vulnerable function is Reader::open_mmap as it existed before this change.

Vulnerable functions

Reader::open_mmap

src/reader.rs

The function `Reader::open_mmap` wraps an unsafe memory mapping operation (`memmap2::MmapOptions::map`) without declaring the function itself as `unsafe`. This can lead to undefined behavior if the underlying file is modified concurrently. The fix was to declare the function as `unsafe` to force callers to uphold the safety contract, which is to ensure the file is not modified while the `Reader` exists.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-mj73-j457-8x9q: maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe

GHSA-mj73-j457-8x9q:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

GHSA-mj73-j457-8x9q: maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI