CVE-2019-25004

Vulnerability

Description

The flatbuffers crate for Rust, prior to version 0.6.1, contains an unsound implementation of the Follow trait for the bool type [1]. The Follow::follow function uses read_scalar_at::, which effectively performs a transmute from arbitrary bytes to a bool [4]. This violates Rust's type safety guarantees, as a bool must only have the bit patterns 0x00 or 0x01. Any other byte value results in an invalid boolean, leading to undefined behavior (UB).

Exploitation

Conditions

An attacker can trigger the vulnerability by providing malicious serialized data crafted with a byte that is not 0 or 1 in a position where a bool is expected [2]. The affected function is invoked when deserializing FlatBuffers messages. No special authentication or network position is required; any application using the vulnerable crate to parse untrusted input is at risk. The attack vector is network-based, with low complexity and no privileges required, as reflected in the CVSS score of 9.8 [2].

Impact

Exploitation can lead to undefined behavior, which may manifest as memory corruption, crashes, or potential code execution. Since UB undermines all safety guarantees in Rust, it could allow an attacker to bypass security checks or cause denial of service. The high CVSS score indicates severe impact on confidentiality, integrity, and availability [2].

Mitigation

The flaw was addressed in flatbuffers version 0.6.1 by correcting the Follow implementation to properly validate boolean values [2]. Users should update to 0.6.1 or later. Versions prior to 0.4.0 are also unaffected, but the advisory recommends upgrading to the patched release [2]. No workaround is available other than updating.