CVE-2018-25024
Description
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Actix-web before 0.7.15 unsoundly coerces immutable to mutable references, leading to memory corruption.
Vulnerability
Affected versions of the actix-web crate (before 0.7.15) contain an unsound use of unsafe Rust that allows coercing an immutable reference into a mutable reference. This violates Rust's memory safety guarantees and can lead to data races and corruption. The flaw is present in the crate's internal implementation and can be triggered through normal API usage that exercises the unsafe code paths.
Exploitation
An attacker can exploit this vulnerability by interacting with a server running an affected version. No special privileges are required; sending crafted HTTP requests that trigger the vulnerable code path may cause the unsound coercion. The advisory [3] indicates multiple memory safety issues, but specific exploitation steps are not publicly detailed. However, the unsound reference conversion could lead to unexpected behavior under concurrency.
Impact
Successful exploitation can lead to memory corruption, potentially resulting in a crash or arbitrary code execution (RCE) depending on how the corrupted memory is used. The RustSec advisory categorizes this as a memory corruption vulnerability [3].
Mitigation
The fix is included in actix-web version 0.7.15 and later, released after the issue was disclosed. Users should update their dependencies to at least 0.7.15 to remediate the vulnerability. No workarounds are available; upgrading is the only solution.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actix-webcrates.io | < 0.7.15 | 0.7.15 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9qj6-4rfq-vm84ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25024ghsaADVISORY
- github.com/actix/actix-web/issues/289ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/actix-web/RUSTSEC-2018-0019.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2018-0019.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.