rustsec-2025-0049
Vulnerability from osv_rustsec
The get and set methods of the public trait scratchpad::Tracking interact with unsafe code regions in the crate, and they influence the computation of addresses returned as raw pointers. However, the trait itself is not marked as unsafe, meaning users may provide custom implementations under the assumption that the crate upholds all safety guarantees.
This becomes problematic because even safe implementations of get and set-written without using any unsafe code-can still result in ill-formed raw pointers. These pointers may later be dereferenced within safe APIs of the crate (e.g., marker::MarkerBack::allocate_slice_copy), potentially leading to arbitrary memory access or heap buffer overflows.
According to the penultimate commit, the crate is in maintenance mode awaiting a cleanup that will reduce the area of unsafe code. Note that the last commits to the repository are from 4 years ago.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"scratchpad::Tracking::get",
"scratchpad::Tracking::set"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "scratchpad",
"purl": "pkg:cargo/scratchpad"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-77h3-w9rx-hj3q"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "The `get` and `set` methods of the public trait `scratchpad::Tracking` interact with unsafe code regions in the crate, and they influence the computation of addresses returned as raw pointers. However, the trait itself is not marked as unsafe, meaning users may provide custom implementations under the assumption that the crate upholds all safety guarantees.\n\nThis becomes problematic because even safe implementations of `get` and `set`-written without using any unsafe code-can still result in ill-formed raw pointers. These pointers may later be dereferenced within safe APIs of the crate (e.g., `marker::MarkerBack::allocate_slice_copy`), potentially leading to arbitrary memory access or heap buffer overflows.\n\nAccording to the [penultimate commit](https://github.com/okready/scratchpad/commit/957dee1a3902f48600b06910e8e0b1d5ee7dab83), the crate is in maintenance mode awaiting a cleanup that will reduce the area of unsafe code. Note that the last commits to the repository are from 4 years ago.",
"id": "RUSTSEC-2025-0049",
"modified": "2025-10-28T06:02:18Z",
"published": "2025-08-14T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/scratchpad"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0049.html"
},
{
"type": "REPORT",
"url": "https://github.com/okready/scratchpad/issues/2"
}
],
"related": [],
"severity": [],
"summary": "User-defined implementations of the safe trait scratchpad::Tracking can cause heap buffer overflows"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.