N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q89g-4vhh-mvvm

EPSS Score

CWE

Published

6/17/2022

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-q89g-4vhh-mvvm

GHSA-q89g-4vhh-mvvm: Incorrect Lifetime Bounds on Closures in `rusqlite`

The lifetime bound on several closure-accepting rusqlite functions (specifically, functions which register a callback to be later invoked by SQLite) was too relaxed. If a closure referencing borrowed values on the stack is was passed to one of these functions, it could allow Rust code to access objects on the stack after they have been dropped.

The impacted functions are:

Under cfg(feature = "functions"): Connection::create_scalar_function, Connection::create_aggregate_function and Connection::create_window_function.
Under cfg(feature = "hooks"): Connection::commit_hook, Connection::rollback_hook and Connection::update_hook.
Under cfg(feature = "collation"): Connection::create_collation.

The issue exists in all 0.25.* versions prior to 0.25.4, and all 0.26.* versions prior to 0.26.2 (specifically: 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.26.0, and 0.26.1).

The fix is available in versions 0.26.2 and newer, and also has been back-ported to 0.25.4. As it does not exist in 0.24.*, all affected versions should have an upgrade path to a semver-compatible release.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q89g-4vhh-mvvm

EPSS Score

CWE

Published

6/17/2022

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rusqlite	rust	>= 0.26.0, < 0.26.2	0.26.2
rusqlite	rust	>= 0.25.0, < 0.25.4	0.25.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from closure parameters accepting 'fn' pointers instead of 'Fn' traits with proper 'static lifetimes. All listed functions register callbacks that SQLite might invoke later, but their pre-patch implementations allowed capturing stack-allocated values. The GHSA example with update_hook demonstrates concrete UAF through Mutex capture, and the advisory explicitly lists all 7 functions across three feature groups as impacted. The high confidence comes from reproducible crashes in user reports and explicit function enumeration in multiple authoritative sources (GHSA, RustSec, and project issues).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** li**tim* *oun* on s*v*r*l *losur*-****ptin* `rusqlit*` *un*tions (sp**i*i**lly, *un*tions w*i** r**ist*r * **ll***k to ** l*t*r invok** *y SQLit*) w*s too r*l*x**. I* * *losur* r***r*n*in* *orrow** v*lu*s on t** st**k is w*s p*ss** to on* o* t**s

Reasoning

T** vuln*r**ility st*ms *rom *losur* p*r*m*t*rs ****ptin* '*n' point*rs inst*** o* '*n' tr*its wit* prop*r 'st*ti* li**tim*s. *ll list** *un*tions r**ist*r **ll***ks t**t SQLit* mi**t invok* l*t*r, *ut t**ir pr*-p*t** impl*m*nt*tions *llow** **pturin

N/A

Basic Information

Concerned about an active attack path?

GHSA-q89g-4vhh-mvvm: Incorrect Lifetime Bounds on Closures in `rusqlite`

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI