VYPR

apk package

wolfi/cargo-audit

pkg:apk/wolfi/cargo-audit

Vulnerabilities (18)

  • CVE-2026-44471HigMay 13, 2026
    affected < 0.22.2-r0fixed 0.22.2-r0

    gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symli

  • CVE-2026-31812HigMar 10, 2026
    affected < 0.22.1-r3fixed 0.22.1-r3

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malf

  • CVE-2026-25727Feb 6, 2026
    affected < 0.22.1-r1fixed 0.22.1-r1

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2026-25541Feb 4, 2026
    affected < 0.22.0-r1fixed 0.22.0-r1

    Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe

  • CVE-2026-0810Jan 26, 2026
    affected < 0.22.1-r0fixed 0.22.1-r0

    A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are

  • CVE-2025-58160LowAug 29, 2025
    affected < 0.21.2-r7fixed 0.21.2-r7

    tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i

  • CVE-2024-12224May 30, 2025
    affected < 0.21.0-r3fixed 0.21.0-r3

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2025-4574MedMay 13, 2025
    affected < 0.21.2-r3fixed 0.21.2-r3

    In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.21.2-r4fixed 0.21.2-r4

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2025-31130MedApr 4, 2025
    affected < 0.22.0-r0fixed 0.22.0-r0

    gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 withou

  • CVE-2025-22620MedJan 20, 2025
    affected < 0.21.2-r0fixed 0.21.2-r0

    gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject

  • CVE-2024-45405MedSep 6, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolv

  • CVE-2024-45305LowSep 2, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gix-path is a crate of the gitoxide project dealing with git paths and their conversions. `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if

  • CVE-2024-35197MedMay 23, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite

  • CVE-2024-35186HigMay 23, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads

  • CVE-2024-32884MedApr 26, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    gitoxide is a pure Rust implementation of Git. `gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, b

  • CVE-2024-32650HigApr 19, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete

  • CVE-2024-27308Mar 6, 2024
    affected < 0.21.2-r1fixed 0.21.2-r1

    Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. F