rustsec-2025-0143
Vulnerability from osv_rustsec
Published
2025-12-24 12:00
Modified
2026-01-29 05:56
Summary
Unsound APIs of public `constant::Reader` and `StructSchema`
Details

The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.

Reader::get

pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
    // ...
    // UNSAFE: access `words` without validation
}

StructSchema::new

pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
    // ...
    // UNSAFE: access encoded nodes without validation
}

This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.

The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "memory-corruption"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "capnp::constant::Reader::get",
            "capnp::schema::StructSchema::new"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "capnp",
        "purl": "pkg:cargo/capnp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.24.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-5w5r-mf82-595p"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The safe API functions `constant::Reader::get` and `StructSchema::new` rely on `PointerReader::get_root_unchecked`, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.\n\n## `Reader::get`\n\n```rust\npub fn get(\u0026self) -\u003e Result\u003c\u003cT as Owned\u003e::Reader\u003c\u0027static\u003e\u003e {\n    // ...\n    // UNSAFE: access `words` without validation\n}\n```\n\n## `StructSchema::new`\n\n```rust\npub fn new(builder: RawBrandedStructSchema) -\u003e StructSchema {\n    // ...\n    // UNSAFE: access encoded nodes without validation\n}\n```\n\nThis vulnerability allows safe Rust code to trigger UB, which violates Rust\u0027s safety guarantees.\n\nThe issue is resolved in version `0.24.0` by making constructor functions unsafe and mark the fields of struct as visible only in the crate.",
  "id": "RUSTSEC-2025-0143",
  "modified": "2026-01-29T05:56:50Z",
  "published": "2025-12-24T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/capnp"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0143.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/capnproto/capnproto-rust/issues/605"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Unsound APIs of public `constant::Reader` and `StructSchema`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.