CVE-2021-29922
Description
Rust before 1.53.0 misinterprets leading zeros in IP address octets as octal, enabling SSRF/RFI bypass of access controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rust before 1.53.0 misinterprets leading zeros in IP address octets as octal, enabling SSRF/RFI bypass of access controls.
Vulnerability
library/std/src/net/parser.rs in Rust before version 1.53.0 incorrectly interprets leading zero characters in IPv4 address string octets as octal literals. For example, "0127.0.0.1" is parsed as 87.0.0.1 instead of being rejected. This violates IETF RFC 6943, which recommends disallowing octal/hexadecimal format in IPv4 string representations [3]. The bug affects all Rust versions through 1.52.1 inclusive [4]. The parser was intended to reject octal and hexadecimal formats, but only hexadecimal was blocked; octal parsing remained enabled.
Exploitation
An unauthenticated remote attacker can supply a crafted IP address string containing octal octets (e.g., 010.8.8.8 or 127.0.026.1) to any application that validates or filters connections based on IP addresses parsed by std::net::IpAddr or std::net::Ipv4Addr. No authentication or special privileges are required, and no user interaction beyond processing the input is needed [4]. For example, a web application that uses std::net::IpAddr to block requests to internal IP ranges may be bypassed by providing an octal representation that resolves to the same internal address but passes the string-based check.
Impact
An attacker can achieve server-side request forgery (SSRF), remote file inclusion (RFI), or local file inclusion (LFI) by exploiting the discrepancy between the parsed IP address and the intended IP address. This can lead to indeterminate security bypasses in access control mechanisms that rely on IP address validation. The impact is rated critical (CVSS:9.1) with high integrity and availability effects [4]. The vulnerability does not directly enable remote code execution but can facilitate further attacks.
Mitigation
The vulnerability is fixed in Rust 1.53.0, released on 2021-06-17 [3]. The fix disallows octal format in IPv4 string parsing, aligning with IETF RFC 6943 [3]. Users should upgrade to Rust 1.53.0 or later. No workaround is available for earlier versions other than patching or avoiding the use of std::net for IP address parsing in security-sensitive contexts.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Rust/Rustdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Rust IP address parser interprets leading zeros as octal, allowing an attacker to supply an IP string that parses to a different address than expected."
Attack vector
An attacker can craft an IP address string with leading zero octets (e.g., `0127.0.0.1`) that the Rust parser interprets as octal, resolving to a different IP than expected. This bypasses access controls that rely on IP address matching, because the parsed address differs from the one the attacker intended to represent. The attack requires no authentication and can be delivered over any network path where the IP string is processed by the vulnerable parser.
Affected code
The vulnerability resides in `library/std/src/net/parser.rs` in the Rust standard library before version 1.53.0. The IP address parser fails to account for leading zero characters in an IP address string, which can cause the address to be interpreted in octal notation rather than decimal.
What the fix does
The patch is not included in the bundle, but the advisory states that Rust 1.53.0 fixes the issue. The fix likely rejects or correctly interprets leading zeros in IP address octets as decimal rather than octal, preventing the parser from producing an unintended address. Without the patch diff, the exact code change cannot be described.
Preconditions
- inputThe target application must use the Rust standard library's IP address parser (library/std/src/net/parser.rs) on user-supplied IP strings.
- configThe application must enforce access control decisions based on the parsed IP address.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- security.gentoo.org/glsa/202210-09mitrevendor-advisory
- defcon.org/html/defcon-29/dc-29-speakers.htmlmitre
- doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.htmlmitre
- github.com/rust-lang/rust/issues/83648mitre
- github.com/rust-lang/rust/pull/83652mitre
- github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.mdmitre
News mentions
0No linked articles in our index yet.