VYPR

apk package

chainguard/atuin

pkg:apk/chainguard/atuin

Vulnerabilities (9)

  • CVE-2026-25727Feb 6, 2026
    affected < 18.11.0-r2fixed 18.11.0-r2

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2026-25541Feb 4, 2026
    affected < 18.11.0-r1fixed 18.11.0-r1

    Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe

  • CVE-2026-21895Jan 8, 2026
    affected < 18.10.0-r1fixed 18.10.0-r1

    The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

  • CVE-2025-58160LowAug 29, 2025
    affected < 18.8.0-r1fixed 18.8.0-r1

    tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i

  • CVE-2024-58262Jul 27, 2025
    affected < 18.3.0-r2fixed 18.3.0-r2

    The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.

  • CVE-2024-12224May 30, 2025
    affected < 18.4.0-r0fixed 18.4.0-r0

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2025-4432MedMay 9, 2025
    affected < 18.4.0-r1fixed 18.4.0-r1

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2024-47609MedOct 1, 2024
    affected < 18.4.0-r1fixed 18.4.0-r1

    Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out

  • CVE-2023-49092Nov 28, 2023
    affected < 18.10.0-r0fixed 18.10.0-r0

    RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key