apk package
wolfi/zed
pkg:apk/wolfi/zed
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-53901 | — | < 0.219.4-r0 | 0.219.4-r0 | Jul 18, 2025 | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op | ||
| CVE-2025-4574 | Med | 6.5 | < 0.181.6-r0 | 0.181.6-r0 | May 13, 2025 | In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption. | |
| CVE-2025-4432 | Med | 5.3 | < 0.178.5-r0 | 0.178.5-r0 | May 9, 2025 | A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets | |
| CVE-2025-24898 | Med | — | < 0.171.6-r1 | 0.171.6-r1 | Feb 3, 2025 | rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's | |
| CVE-2024-51756 | Low | — | < 0.159.10-r1 | 0.159.10-r1 | Nov 5, 2024 | The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a | |
| CVE-2024-51745 | — | < 0.159.10-r1 | 0.159.10-r1 | Nov 5, 2024 | Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su | ||
| CVE-2024-47813 | — | < 0.156.0-r1 | 0.156.0-r1 | Oct 9, 2024 | Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi | ||
| CVE-2024-47763 | — | < 0.156.0-r1 | 0.156.0-r1 | Oct 9, 2024 | Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or | ||
| CVE-2024-43806 | Med | 6.5 | < 0.147.2-r0 | 0.147.2-r0 | Aug 26, 2024 | Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this c | |
| CVE-2024-30266 | — | < 0.146.3-r0 | 0.146.3-r0 | Apr 4, 2024 | wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this pan | ||
| CVE-2023-49092 | Med | 5.9 | < 0.166.1-r0 | 0.166.1-r0 | Nov 28, 2023 | RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key | |
| CVE-2023-43669 | Hig | 7.5 | < 0.147.2-r0 | 0.147.2-r0 | Sep 21, 2023 | The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) a | |
| CVE-2021-29937 | Cri | 9.8 | < 0 | 0 | Apr 1, 2021 | An issue was discovered in the telemetry crate through 2021-02-17 for Rust. There is a drop of uninitialized memory if a value.clone() call panics within misc::vec_with_size(). | |
| CVE-2019-25009 | Cri | 9.8 | < 0.146.3-r0 | 0.146.3-r0 | Dec 31, 2020 | An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness. | |
| CVE-2020-25574 | Hig | 7.5 | < 0.146.3-r0 | 0.146.3-r0 | Sep 14, 2020 | An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop). |
- CVE-2025-53901Jul 18, 2025affected < 0.219.4-r0fixed 0.219.4-r0
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_op
- affected < 0.181.6-r0fixed 0.181.6-r0
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
- affected < 0.178.5-r0fixed 0.178.5-r0
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets
- affected < 0.171.6-r1fixed 0.171.6-r1
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's
- affected < 0.159.10-r1fixed 0.159.10-r1
The cap-std project is organized around the eponymous `cap-std` crate, and develops libraries to make it easy to write capability-based code. cap-std's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", a
- CVE-2024-51745Nov 5, 2024affected < 0.159.10-r1fixed 0.159.10-r1
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use su
- CVE-2024-47813Oct 9, 2024affected < 0.156.0-r1fixed 0.156.0-r1
Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That regi
- CVE-2024-47763Oct 9, 2024affected < 0.156.0-r1fixed 0.156.0-r1
Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or
- affected < 0.147.2-r0fixed 0.147.2-r0
Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this c
- CVE-2024-30266Apr 4, 2024affected < 0.146.3-r0fixed 0.146.3-r0
wasmtime is a runtime for WebAssembly. The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this pan
- affected < 0.166.1-r0fixed 0.166.1-r0
RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key
- affected < 0.147.2-r0fixed 0.147.2-r0
The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) a
- affected < 0fixed 0
An issue was discovered in the telemetry crate through 2021-02-17 for Rust. There is a drop of uninitialized memory if a value.clone() call panics within misc::vec_with_size().
- affected < 0.146.3-r0fixed 0.146.3-r0
An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.
- affected < 0.146.3-r0fixed 0.146.3-r0
An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop).
Page 2 of 2