GHSA-x77x-7mmh-cxv3: ncurses exposes uninitialized memory in string reading functions

October 22, 2025 (updated November 10, 2025)

Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found.

This allows reading uninitialized memory which may contain sensitive data from previous allocations.

The ncurses-rs repository is archived and unmaintained.

References

github.com/RustSec/advisory-db/pull/2427
github.com/advisories/GHSA-x77x-7mmh-cxv3
github.com/jeaye/ncurses-rs
rustsec.org/advisories/RUSTSEC-2025-0108.html

Code Behaviors & Features

Detect and mitigate GHSA-x77x-7mmh-cxv3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →