VYPR

apk package

wolfi/wash

pkg:apk/wolfi/wash

Vulnerabilities (13)

  • CVE-2026-31812HigMar 10, 2026
    affected < 0.39.0-r9fixed 0.39.0-r9

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malf

  • CVE-2026-25727Feb 6, 2026
    affected < 0.39.0-r7fixed 0.39.0-r7

    time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used

  • CVE-2026-25541Feb 4, 2026
    affected < 0.39.0-r6fixed 0.39.0-r6

    Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition "v_capacity >= new_cap + offset" uses an unchecked addition. Whe

  • CVE-2025-58160LowAug 29, 2025
    affected < 0.39.0-r5fixed 0.39.0-r5

    tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be i

  • CVE-2024-58262Jul 27, 2025
    affected < 0.30.0-r0fixed 0.30.0-r0

    The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.

  • CVE-2024-12224May 30, 2025
    affected < 0.38.0-r0fixed 0.38.0-r0

    Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

  • CVE-2025-4432MedMay 9, 2025
    affected < 0.39.0-r1fixed 0.39.0-r1

    A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets

  • CVE-2024-51756LowNov 5, 2024
    affected < 0.36.1-r2fixed 0.36.1-r2

    The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a

  • CVE-2024-51745Nov 5, 2024
    affected < 0.36.1-r2fixed 0.36.1-r2

    Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su

  • CVE-2024-47813Oct 9, 2024
    affected < 0.34.1-r2fixed 0.34.1-r2

    Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi

  • CVE-2024-47763Oct 9, 2024
    affected < 0.34.1-r2fixed 0.34.1-r2

    Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or

  • CVE-2024-47609MedOct 1, 2024
    affected < 0.39.0-r1fixed 0.39.0-r1

    Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out

  • CVE-2024-45311Sep 2, 2024
    affected < 0.32.1-r1fixed 0.32.1-r1

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exp