RUSTSEC-2023-0083: Vulnerability in blurhash

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2023-0083

blurhash: panic on parsing crafted blurhash inputs


Reported
Issued

Package

blurhash
(crates.io)

Type

Vulnerability

Categories
Keywords

#panic

#untrusted-input

#parsing

Aliases
References
CVSS Score
8.6
HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low

Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Patched
  • >=0.2.0
Affected Functions
Version
blurhash::decode
  • *

Description

Impact

The blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.

In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include:

  • UTF-8 compliant strings containing multi-byte UTF-8 characters

Patches

The patches were released under version 0.2.0, which may require user intervention because of slight API churn.

Advisory available under CC0-1.0
license.

READ MORE