CVE-2020-25575
Description
An issue was discovered in the failure crate through 0.1.5 for Rust. It may introduce "compatibility hazards" in some applications, and has a type confusion flaw when downcasting. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: This may overlap CVE-2019-25010
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The failure crate for Rust (<=0.1.5) contains a type confusion vulnerability when downcasting, leading to potential memory safety issues.
Vulnerability
Overview
The failure crate for Rust, up to version 0.1.5, contains a type confusion flaw that occurs during downcasting operations. This issue arises from the crate's internal __private_get_type_id__ method, which can be overridden, allowing an attacker to manipulate type identification and cause the downcast to incorrectly assume a type mismatch or match [1][3]. This unsoundness can lead to undefined behavior, including memory corruption [3].
Attack
Surface and Exploitation
The vulnerability is triggered when a downstream application uses failure's downcasting functionality with a crafted error type that overrides the private method [3]. An attacker who can influence the error types used in the application—for example, by providing unexpected input that leads to a specific error—may be able to cause a type confusion [1]. No special privileges or user interaction are required beyond the application's normal error handling flow [3][4]. The attack vector is network-based, with a CVSS score of 9.8 (Critical) [3][4].
Impact
Successful exploitation could allow an attacker to achieve arbitrary type casting, bypassing Rust's type safety guarantees [1][3]. This can result in memory corruption, potentially leading to denial of service, information disclosure, or even arbitrary code execution [3][4]. The failure crate is no longer maintained, and no patched versions exist [1][4].
Mitigation
Status
The failure crate has been officially deprecated and is considered unmaintained [2][4]. Users are strongly advised to migrate to alternative error handling crates such as fehler or use the standard std::error::Error trait [2]. No fix is available for the vulnerability, and the affected versions are beyond support [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
failurecrates.io | <= 0.1.8 | — |
Affected products
2- failure crate/failure cratedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-jq66-xh47-j9f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25575ghsaADVISORY
- boats.gitlab.io/blog/post/failure-to-fehlerghsaWEB
- boats.gitlab.io/blog/post/failure-to-fehler/mitrex_refsource_MISC
- github.com/RustCrypto/hashes/pull/91ghsaWEB
- github.com/RustSec/advisory-db/blob/main/crates/failure/RUSTSEC-2019-0036.mdghsaWEB
- github.com/rust-lang-nursery/failure/issues/336ghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2019-0036.htmlghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0036.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.