VYPR

apk package

chainguard/lychee

pkg:apk/chainguard/lychee

Vulnerabilities (9)

  • CVE-2026-31812HigMar 10, 2026
    affected < 0.23.0-r2fixed 0.23.0-r2

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malf

  • CVE-2026-25727Feb 6, 2026
    affected < 0.22.0-r5fixed 0.22.0-r5

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2026-25541Feb 4, 2026
    affected < 0.22.0-r3fixed 0.22.0-r3

    Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe

  • CVE-2026-25537Feb 4, 2026
    affected < 0.22.0-r4fixed 0.22.0-r4

    jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number)

  • CVE-2026-21895Jan 8, 2026
    affected < 0.22.0-r1fixed 0.22.0-r1

    The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.

  • CVE-2024-12224May 30, 2025
    affected < 0.23.0-r0fixed 0.23.0-r0

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2025-4574MedMay 13, 2025
    affected < 0.18.1-r4fixed 0.18.1-r4

    In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.18.1-r1fixed 0.18.1-r1

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2025-24898MedFeb 3, 2025
    affected < 0.18.0-r1fixed 0.18.0-r1

    rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's