Vulnerabilities

RUSTSEC-2025-0047

Out-of-bounds access in get_disjoint_mut due to incorrect bounds check

Impact

The get_disjoint_mut method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes.

Patches

This has been fixed in slab v0.4.11.

Workarounds

Avoid using get_disjoint_mut with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later.

References

• tokio-rs/slab#152

RUSTSEC-2025-0055

Logging user input may result in poisoning logs with ANSI escape sequences

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #3368 to escape ANSI control characters from user input.

Warnings

RUSTSEC-2024-0388

derivative is unmaintained; consider using an alternative

The derivative crate is no longer maintained.
Consider using any alternative, for instance:

• derive_more
• derive-where
• educe

RUSTSEC-2025-0057

fxhash - no longer maintained

The fxhash crate is no longer maintained.

The repository is stale and owner is no longer active on GitHub.

Please take a look at rustc-hash instead.

### Crate `slab` is yanked

No extra details provided.

### Crate `zerovec` is yanked

No extra details provided.