apk package
wolfi/wasm-pack
pkg:apk/wolfi/wasm-pack
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33056 | — | < 0.14.0-r4 | 0.14.0-r4 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, | ||
| CVE-2026-33055 | — | < 0.14.0-r4 | 0.14.0-r4 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz | ||
| CVE-2026-25727 | — | < 0.14.0-r3 | 0.14.0-r3 | Feb 6, 2026 | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used | ||
| CVE-2025-4432 | Med | 5.3 | < 0.13.1-r2 | 0.13.1-r2 | May 9, 2025 | A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets | |
| CVE-2025-29787 | Hig | — | < 0.13.1-r3 | 0.13.1-r3 | Mar 17, 2025 | `zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used f |
- CVE-2026-33056Mar 20, 2026affected < 0.14.0-r4fixed 0.14.0-r4
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,
- CVE-2026-33055Mar 20, 2026affected < 0.14.0-r4fixed 0.14.0-r4
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz
- CVE-2026-25727Feb 6, 2026affected < 0.14.0-r3fixed 0.14.0-r3
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used
- affected < 0.13.1-r2fixed 0.13.1-r2
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets
- affected < 0.13.1-r3fixed 0.13.1-r3
`zip` is a zip library for rust which supports reading and writing of simple ZIP files. In the archive extraction routine of affected versions of the `zip` crate starting with version 1.3.0 and prior to version 2.3.0, symbolic links earlier in the archive are allowed to be used f