CVE-2021-45693
Description
An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string_primitive may read from uninitialized memory locations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The messagepack-rs crate in Rust passes uninitialized memory to user-provided Read, potentially leaking sensitive data.
Vulnerability
In the messagepack-rs crate (versions through 2021-01-26), several deserialization functions, including deserialize_string_primitive, pass uninitialized memory to a user-provided Read implementation. Specifically, the functions allocate a Vec with Vec::with_capacity(size) and then use unsafe { buf.set_len(size); } without initializing the memory, followed by buf_reader.read_exact(&mut buf[..]). This can result in reading from uninitialized memory locations, as described in the RustSec advisory RUSTSEC-2021-0092 [3] and the GitHub issue [2].
Exploitation
An attacker can craft a malicious MessagePack payload that causes the deserialization to allocate a buffer of a certain size and then trigger a read from uninitialized memory. The attacker must have some way to influence the input to a Read implementation that is passed to these vulnerable functions. The exploitation requires no special privileges beyond being able to supply data to the deserialization process. The RustSec advisory notes that the read_exact call reads into the buffer, but if the Read returns fewer bytes than expected or fails, the uninitialized portion may be exposed [2][3].
Impact
Successfully exploiting this vulnerability could lead to information disclosure, as uninitialized memory may contain sensitive data from previous heap allocations. This is a memory exposure issue that could leak secrets such as cryptographic keys, passwords, or other confidential information. The RustSec advisory categorizes it as "memory-exposure" [3]. There is no known remote code execution (RCE) or privilege escalation, but the confidentiality of the application could be compromised.
Mitigation
As of the last update (June 13, 2023), the messagepack-rs crate has no patched version available [3]. The project appears to be unmaintained, as the GitHub repository [4] has no recent commits addressing this issue. Users are advised to avoid using the crate and migrate to alternatives such as rmp-serde or msgpack that properly handle buffer initialization. Since no fix exists, there is no workaround other than not using the vulnerable crate.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
messagepack-rscrates.io | <= 0.8.1 | — |
Affected products
2- messagepack-rs/messagepack-rsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jqjj-r4qp-x2ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45693ghsaADVISORY
- github.com/otake84/messagepack-rs/issues/2ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0092.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.