apk package
wolfi/deno
pkg:apk/wolfi/deno
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45784 | — | < 2.7.14-r4 | 2.7.14-r4 | May 19, 2026 | `CipherCtxRef::cipher_update_inplace` incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-con | ||
| CVE-2026-42327 | Hig | — | < 2.7.14-r2 | 2.7.14-r2 | May 14, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref wraps the raw bytes with str::from_utf8_unch | |
| CVE-2026-41898 | Cri | 9.8 | < 2.7.13-r0 | 2.7.13-r0 | Apr 24, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the use | |
| CVE-2026-41681 | Cri | 9.8 | < 2.7.13-r0 | 2.7.13-r0 | Apr 24, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the sta | |
| CVE-2026-41678 | Cri | 9.8 | < 2.7.13-r0 | 2.7.13-r0 | Apr 24, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8, | |
| CVE-2026-41677 | Cri | 9.1 | < 2.7.13-r0 | 2.7.13-r0 | Apr 24, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can caus | |
| CVE-2026-41676 | Cri | 9.8 | < 2.7.13-r0 | 2.7.13-r0 | Apr 24, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, | |
| CVE-2026-33056 | — | < 2.7.8-r0 | 2.7.8-r0 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, | ||
| CVE-2026-33055 | — | < 2.7.8-r0 | 2.7.8-r0 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz | ||
| CVE-2026-25727 | — | < 2.6.8-r2 | 2.6.8-r2 | Feb 6, 2026 | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used | ||
| CVE-2026-25541 | — | < 2.6.8-r1 | 2.6.8-r1 | Feb 4, 2026 | Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe | ||
| CVE-2026-21895 | — | < 2.6.4-r1 | 2.6.4-r1 | Jan 8, 2026 | The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue. | ||
| CVE-2024-12224 | — | < 2.1.3-r0 | 2.1.3-r0 | May 30, 2025 | Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. | ||
| CVE-2025-4574 | Med | 6.5 | < 2.2.9-r0 | 2.2.9-r0 | May 13, 2025 | In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption. | |
| CVE-2025-4432 | Med | 5.3 | < 2.2.3-r1 | 2.2.3-r1 | May 9, 2025 | A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets | |
| CVE-2025-29787 | Hig | — | < 2.5.6-r0 | 2.5.6-r0 | Mar 17, 2025 | `zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used f | |
| CVE-2024-37150 | — | < 1.44.1-r0 | 1.44.1-r0 | Jun 6, 2024 | An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability i | ||
| CVE-2023-49092 | — | < 2.6.4-r1 | 2.6.4-r1 | Nov 28, 2023 | RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key | ||
| CVE-2023-22499 | — | < 1.30.3-r0 | 1.30.3-r0 | Jan 17, 2023 | Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program cou |
- CVE-2026-45784May 19, 2026affected < 2.7.14-r4fixed 2.7.14-r4
`CipherCtxRef::cipher_update_inplace` incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-con
- affected < 2.7.14-r2fixed 2.7.14-r2
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref wraps the raw bytes with str::from_utf8_unch
- affected < 2.7.13-r0fixed 2.7.13-r0
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the use
- affected < 2.7.13-r0fixed 2.7.13-r0
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller than that, MdCtxRef::digest_final() writes past its end, usually corrupting the sta
- affected < 2.7.13-r0fixed 2.7.13-r0
rust-openssl provides OpenSSL bindings for the Rust programming language. From to before 0.10.78, aes::unwrap_key() contains an incorrect assertion: it checks that out.len() + 8 <= in_.len(), but this condition is reversed. The intended invariant is out.len() >= in_.len() - 8,
- affected < 2.7.13-r0fixed 2.7.13-r0
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.0 to before 0.10.78, the *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can caus
- affected < 2.7.13-r0fixed 2.7.13-r0
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519,
- CVE-2026-33056Mar 20, 2026affected < 2.7.8-r0fixed 2.7.8-r0
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,
- CVE-2026-33055Mar 20, 2026affected < 2.7.8-r0fixed 2.7.8-r0
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz
- CVE-2026-25727Feb 6, 2026affected < 2.6.8-r2fixed 2.6.8-r2
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used
- CVE-2026-25541Feb 4, 2026affected < 2.6.8-r1fixed 2.6.8-r1
Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe
- CVE-2026-21895Jan 8, 2026affected < 2.6.4-r1fixed 2.6.4-r1
The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
- CVE-2024-12224May 30, 2025affected < 2.1.3-r0fixed 2.1.3-r0
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
- affected < 2.2.9-r0fixed 2.2.9-r0
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
- affected < 2.2.3-r1fixed 2.2.3-r1
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets
- affected < 2.5.6-r0fixed 2.5.6-r0
`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used f
- CVE-2024-37150Jun 6, 2024affected < 1.44.1-r0fixed 1.44.1-r0
An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability i
- CVE-2023-49092Nov 28, 2023affected < 2.6.4-r1fixed 2.6.4-r1
RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key
- CVE-2023-22499Jan 17, 2023affected < 1.30.3-r0fixed 1.30.3-r0
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program cou