VYPR
Moderate severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026

time affected by a stack exhaustion denial of service attack

CVE-2026-25727

Description

time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
timecrates.io
>= 0.3.6, < 0.3.470.3.47

Affected products

186

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.