RUSTSEC-2025-0143: Unsound APIs of public constant::Reader and StructSchema #403
Description
| Details | |
|---|---|
| Package | capnp |
| Version | 0.19.8 |
| URL | capnproto/capnproto-rust#605 |
| Patched Versions | >=0.24.0 |
| Aliases | GHSA-5w5r-mf82-595p |
The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.
Reader::get
pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
// ...
// UNSAFE: access `words` without validation
}StructSchema::new
pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
// ...
// UNSAFE: access encoded nodes without validation
}This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.
The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.