Platform
rust
Component
base64
Fixed in
0.5.2
0.5.2
CVE-2017-1000430 describes a critical buffer overflow vulnerability affecting the base64 crate in Rust. This flaw arises from an integer overflow when calculating the buffer size for base64 encoding operations, specifically within the encodeconfigbuf and encode_config functions. Exploitation can lead to memory corruption and potentially arbitrary code execution. Affected versions are those prior to 0.5.2; upgrading to this version resolves the vulnerability.
The vulnerability's impact is severe due to its potential for arbitrary code execution. An attacker can craft a large input string to trigger the integer overflow, causing an undersized buffer to be allocated. Subsequent writes to this buffer, handled via unsafe code, will then overflow the buffer's boundaries, corrupting memory. This memory corruption can be leveraged to overwrite critical data structures or inject malicious code into the process's memory space, ultimately allowing the attacker to execute arbitrary commands with the privileges of the Rust application. The blast radius is dependent on the application using the vulnerable crate; a widely used library could have a significant impact.
This CVE was publicly disclosed on May 3, 2017. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for arbitrary code execution makes it a high-priority concern. The vulnerability's presence in a widely used crate increases the likelihood of exploitation if left unpatched. No KEV listing is currently available.
Exploit Status
EPSS
0.48% (65% percentile)
CVSS Vector
The primary mitigation is to upgrade the base64 crate to version 0.5.2 or later. This version incorporates checked arithmetic to prevent the integer overflow. If upgrading is not immediately feasible, consider implementing runtime checks to validate the input string length before passing it to the encodeconfigbuf or encode_config functions. While not a complete solution, this can provide a layer of defense against exploitation. Thorough testing is crucial after any upgrade to ensure compatibility and prevent regressions. Verify the upgrade by running unit tests that specifically target the base64 encoding functionality.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-1000430 is a critical vulnerability in the Rust base64 crate where an integer overflow can lead to a buffer overflow, potentially allowing arbitrary code execution.
You are affected if your Rust project uses the base64 crate in a version prior to 0.5.2. Check your Cargo.toml file to determine your version.
Upgrade the base64 crate to version 0.5.2 or later using cargo update base64.
While no active exploitation campaigns have been definitively linked, the potential for arbitrary code execution makes it a high-priority concern.
base64Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.