VYPR

apk package

chainguard/zed

pkg:apk/chainguard/zed

Vulnerabilities (35)

  • CVE-2025-53901Jul 18, 2025
    affected < 0.219.4-r0fixed 0.219.4-r0

    Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op

  • CVE-2025-4574MedMay 13, 2025
    affected < 0.181.6-r0fixed 0.181.6-r0

    In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.178.5-r0fixed 0.178.5-r0

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2025-24898MedFeb 3, 2025
    affected < 0.171.6-r1fixed 0.171.6-r1

    rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's

  • CVE-2024-51756LowNov 5, 2024
    affected < 0.159.10-r1fixed 0.159.10-r1

    The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a

  • CVE-2024-51745Nov 5, 2024
    affected < 0.159.10-r1fixed 0.159.10-r1

    Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su

  • CVE-2024-47813Oct 9, 2024
    affected < 0.156.0-r1fixed 0.156.0-r1

    Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi

  • CVE-2024-47763Oct 9, 2024
    affected < 0.156.0-r1fixed 0.156.0-r1

    Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or

  • CVE-2024-43806MedAug 26, 2024
    affected < 0.147.2-r0fixed 0.147.2-r0

    Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this c

  • CVE-2024-30266Apr 4, 2024
    affected < 0.146.3-r0fixed 0.146.3-r0

    wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this pan

  • CVE-2023-49092MedNov 28, 2023
    affected < 0.166.1-r0fixed 0.166.1-r0

    RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key

  • CVE-2023-43669HigSep 21, 2023
    affected < 0.147.2-r0fixed 0.147.2-r0

    The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) a

  • CVE-2021-29937CriApr 1, 2021
    affected < 0fixed 0

    An issue was discovered in the telemetry crate through 2021-02-17 for Rust. There is a drop of uninitialized memory if a value.clone() call panics within misc::vec_with_size().

  • CVE-2019-25009CriDec 31, 2020
    affected < 0.146.3-r0fixed 0.146.3-r0

    An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.

  • CVE-2020-25574HigSep 14, 2020
    affected < 0.146.3-r0fixed 0.146.3-r0

    An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop).

Page 2 of 2