CVE-2021-43620
Description
An issue was discovered in the fruity crate through 0.2.0 for Rust. Security-relevant validation of filename extensions is plausibly affected. Methods of NSString for conversion to a string may return a partial result. Because they call CStr::from_ptr on a pointer to the string buffer, the string is terminated at the first '\0' byte, which might not be the end of the string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fruitycrates.io | >= 0.1.0, < 0.3.0 | 0.3.0 |
Affected products
2- fruity crate/fruity cratedescription
Patches
Vulnerability mechanics
Root cause
"`NSString` conversion methods call `CStr::from_ptr`, which truncates the string at the first null byte, allowing null-byte injection to bypass filename-extension validation."
Attack vector
An attacker supplies a file name containing a null byte followed by an allowed extension (e.g., `file.exe\0.txt`). The `NSString` conversion methods call `CStr::from_ptr`, which truncates the string at the first null byte, so validation sees the allowed extension `.txt` but the application later uses the truncated name `file.exe`. This bypasses file-extension checks, enabling arbitrary file writes or execution. [CWE-20]
Affected code
The advisory identifies `fruity::foundation::NSString::to_str`, `to_str_with_nul`, `to_string`, and `to_string_with_nul` as vulnerable functions. The implementations of `Display`, `PartialEq`, `PartialOrd`, and `ToString` for `NSString` are also affected because they call those functions. The patch file is `crates/fruity/RUSTSEC-0000-0000.md` in the rustsec/advisory-db repository.
What the fix does
The patch adds an advisory (`RUSTSEC-0000-0000.md`) documenting the vulnerability and its impact, but no code fix is published — the `[versions] patched = []` entry confirms no patched release exists. The advisory recommends using unique generated file names instead of user-provided names to avoid reliance on extension validation that can be bypassed via null-byte truncation.
Preconditions
- configThe application must use `NSString` conversion methods (e.g., `to_str`, `to_string`) to validate file extensions on user-supplied filenames.
- inputThe attacker must be able to supply a filename containing a null byte (e.g., `file.exe\0.txt`).
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h352-g5vw-3926ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43620ghsaADVISORY
- github.com/nvzqz/fruity/issues/14ghsax_refsource_MISCWEB
- github.com/rustsec/advisory-db/pull/1102ghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0123.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.