rustsec-2024-0379
Vulnerability from osv_rustsec
Published
2024-10-31 12:00
Modified
2025-10-28 06:02
Summary
Multiple soundness issues
Details
fast-float contains multiple soundness issues:
- Undefined behavior when checking input length, which has been merged but no package pubished.
- Many functions marked as safe with non-local safety guarantees
The library is also unmaintained.
Alternatives
For quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of lexical has been merged into libcore. When requiring direct parsing from bytes and/or partial parsers, the fast-float2 fork of fast-float containing these security patches and reduces overall usage of unsafe.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "fast-float",
"purl": "pkg:cargo/fast-float"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-x8jh-xj3x-gx3c"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`fast-float` contains multiple soundness issues:\n\n 1. [Undefined behavior when checking input length](https://github.com/aldanor/fast-float-rust/issues/28), which has been merged but no package [pubished](https://github.com/aldanor/fast-float-rust/issues/35).\n 1. [Many functions marked as safe with non-local safety guarantees](https://github.com/aldanor/fast-float-rust/issues/37)\n\nThe library is also unmaintained.\n\n## Alternatives\n\nFor quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore. When requiring direct parsing from bytes and/or partial parsers, the [`fast-float2`](https://crates.io/crates/fast-float2) fork of `fast-float` containing these security patches and reduces overall usage of unsafe.",
"id": "RUSTSEC-2024-0379",
"modified": "2025-10-28T06:02:18Z",
"published": "2024-10-31T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/fast-float"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0379.html"
},
{
"type": "REPORT",
"url": "https://github.com/aldanor/fast-float-rust/issues/35"
},
{
"type": "REPORT",
"url": "https://github.com/aldanor/fast-float-rust/issues/28"
},
{
"type": "REPORT",
"url": "https://github.com/aldanor/fast-float-rust/issues/37"
}
],
"related": [],
"severity": [],
"summary": "Multiple soundness issues"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…