CVE-2023-53157: Remotely exploitable denial of service in Rosenpass

December 21, 2023 (updated July 28, 2025)

Affected versions of this crate did not validate the size of buffers when attempting to decode messages.

This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.

This flaw was corrected by validating the size of the buffers before attempting to decode the message.

References

github.com/advisories/GHSA-6ggr-cwv4-g7qg
github.com/rosenpass/rosenpass
github.com/rosenpass/rosenpass/commit/93439858d1c44294a7b377f775c4fc897a370bb2
nvd.nist.gov/vuln/detail/CVE-2023-53157
rustsec.org/advisories/RUSTSEC-2023-0077.html

Code Behaviors & Features

Detect and mitigate CVE-2023-53157 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →