CVE-2021-45691

Vulnerability

The messagepack-rs crate for Rust, versions up to and including 2021-01-26, contains a memory-safety vulnerability in the deserialize_string function (and related deserialization functions). The issue arises because these functions use unsafe { buf.set_len(size); } on a Vec created with Vec::with_capacity(size), which does not initialize the memory. The uninitialized buffer is then passed to a user-provided Read implementation via buf_reader.read_exact(...). If the Read operation fails, the function returns an error, but the uninitialized memory content may be leaked or used in further operations [2][3].

Exploitation

An attacker can exploit this vulnerability by crafting malicious data that causes read_exact to fail partially or by controlling the size parameter to expose uninitialized heap memory. The attacker does not need authentication or special privileges, but must be able to supply input to a process that uses the affected messagepack-rs crate for deserialization. The vulnerable code path is triggered when deserialize_string, deserialize_binary, or similar functions are called and the Read operation encounters an error [2][3].

Impact

Successful exploitation allows an attacker to cause the application to read from uninitialized memory locations, potentially leaking sensitive heap data. This memory exposure can lead to information disclosure, and in certain cases, may be leveraged for further attacks. The RustSec advisory classifies this as a memory-exposure vulnerability [3].

Mitigation

As of the last update of the RustSec advisory (June 2023), no patched version of messagepack-rs has been released [3]. The crate appears to be unmaintained, and users are advised to avoid using it. Workarounds include switching to alternative MessagePack implementations in Rust that are actively maintained [3][4]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.