RUSTSEC-2021-0041
on 2021-03-18: Denial of service through parsing payloads with too big exponent
This crate has no reviews yet. To add a review, set up your cargo-crev.
Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.
To review the actual code of the crate, it's best to use cargo crev open parse_duration. Alternatively, you can download the tarball of parse_duration v2.1.1 or view the source online.
The
parse_duration::parsefunction allows for parsing duration strings with exponents like5e5swhere under the hood, theBigInttype along with thepowfunction are used for such payloads. Passing an arbitrarily big exponent makes theparse_duration::parsefunction to process the payload for a very long time taking up CPU and memory.This allows an attacker to cause a DoS if the
parse_duration::parsefunction is used to process untrusted input.CVE-2021-29932
GHSA-qpgv-g792-wh6x