rustsec-2025-0015
Vulnerability from osv_rustsec
Published
2025-02-16 12:00
Modified
2025-10-28 06:02
Summary
Denial of Service via malicious Web Push endpoint
Details

Prior to version 0.10.3, the built-in clients of the web-push crate eagerly allocated memory based on the Content-Length header returned by the Web Push endpoint. Malicious Web Push endpoints could return a large Content-Length without ever having to send as much data, leading to denial of service by memory exhaustion.

Services providing Web Push notifications typically allow the user to register an arbitrary endpoint, so the endpoint should not be trusted.

The fixed version 0.10.3 now limits the amount of memory it will allocate for each response, limits the amount of data it will read from the endpoint, and returns an error if the endpoint sends too much data.

As before, it is recommended that services add a timeout for each request to Web Push endpoints.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "denial-of-service"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "web-push",
        "purl": "pkg:cargo/web-push"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.10.3"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2025-53604",
    "GHSA-287x-9rff-qvcg",
    "GHSA-fc83-9jwq-gc2m"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Prior to version 0.10.3, the built-in clients of the `web-push` crate\neagerly allocated memory based on the `Content-Length` header returned by the\nWeb Push endpoint. Malicious Web Push endpoints could return a large\n`Content-Length` without ever having to send as much data, leading to\ndenial of service by memory exhaustion.\n\nServices providing Web Push notifications typically allow the user to\nregister an arbitrary endpoint, so the endpoint should not be trusted.\n\nThe fixed version 0.10.3 now limits the amount of memory it will allocate\nfor each response, limits the amount of data it will read from the endpoint,\nand returns an error if the endpoint sends too much data.\n\nAs before, it is recommended that services add a timeout for each request\nto Web Push endpoints.",
  "id": "RUSTSEC-2025-0015",
  "modified": "2025-10-28T06:02:18Z",
  "published": "2025-02-16T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/web-push"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0015.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimeys/rust-web-push/pull/68"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Denial of Service via malicious Web Push endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.