CVE-2021-38196
Description
The better-macro crate for Rust intentionally executes arbitrary code via proc-macros, demonstrating a security risk with no legitimate purpose.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The better-macro crate for Rust intentionally executes arbitrary code via proc-macros, demonstrating a security risk with no legitimate purpose.
Vulnerability
The better-macro crate (through version 2021-07-22) intentionally introduces arbitrary code execution during Rust compilation via proc-macros [1][2]. It is a demonstration crate with no legitimate purpose, affecting any Rust project that includes it as a dependency [3]. All versions are considered vulnerable.
Exploitation
An attacker can trigger code execution by inducing a developer to build a project that depends on the crate [3]. The proc-macro runs during compilation, requiring no user interaction at runtime. The crate currently opens a URL (hi.md) that is not malicious, but the mechanism allows arbitrary code execution [4].
Impact
Successful exploitation achieves remote code execution (RCE) on the build system [3]. The attacker can execute arbitrary commands at compile time, potentially compromising the entire build environment and any secrets or artifacts present.
Mitigation
No patched versions exist; the crate is intentionally malicious and has no legitimate purpose [3]. Developers must remove the crate from their dependencies entirely. It is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
better-macrocrates.io | <= 1.0.4 | — |
Affected products
2- better-macro/better-macrodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The crate intentionally executes arbitrary code inside a proc-macro, demonstrating that proc-macros can run arbitrary commands at compile time."
Attack vector
An attacker can trick a developer into including the `better-macro` crate as a dependency. When the proc-macro is expanded at compile time, it executes arbitrary code — the crate currently opens a URL but could be modified to run any command [ref_id=1][ref_id=2]. This is a classic code injection via proc-macro [CWE-94].
Affected code
The `better-macro` crate's `better_macro::println` function (affected versions >1.0.0) contains deliberate remote code execution via proc-macros. The malicious code is located at `src/lib.rs` lines 36–38 [ref_id=1][ref_id=2].
What the fix does
No patched version exists [ref_id=1][ref_id=2]. The advisory explicitly states the crate has no legitimate purpose and should not be used. The only remediation is to remove the dependency entirely.
Preconditions
- configThe developer must add `better-macro` as a dependency in their Cargo.toml.
- inputThe proc-macro must be expanded during compilation (triggered by using `better_macro::println`).
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-79wf-qcqv-r22rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38196ghsaADVISORY
- github.com/raycar5/better-macro/blob/24ff1702397b9c19bbfa4c660e2316cd77d3b900/src/lib.rsghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/better-macro/RUSTSEC-2021-0077.mdmitrex_refsource_MISC
- rustsec.org/advisories/RUSTSEC-2021-0077.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.