GHSA-c2hm-mjxv-89r4: Multiple soundness issues in lexical

September 4, 2023 (updated September 16, 2024)

lexical contains multiple soundness issues:

Bytes::read() allows creating instances of types with invalid bit patterns
BytesIter::read() advances iterators out of bounds
The BytesIter trait has safety invariants but is public and not marked unsafe
write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

The crate also has some correctness issues.

References

github.com/Alexhuszagh/rust-lexical
github.com/advisories/GHSA-c2hm-mjxv-89r4
rustsec.org/advisories/RUSTSEC-2023-0055.html

Detect and mitigate GHSA-c2hm-mjxv-89r4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →