GHSA-wv8j-m3hx-924j

Source

https://github.com/advisories/GHSA-wv8j-m3hx-924j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-wv8j-m3hx-924j/GHSA-wv8j-m3hx-924j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-wv8j-m3hx-924j

Published

2025-05-30T20:09:56Z

Modified

2025-05-30T20:09:56Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Arrow2 allows out of bounds access in public safe API

Details

Rows::row_unchecked() allows out of bounds access to the underlying buffer without sufficient checks.

The arrow2 crate is no longer maintained, so there are no plans to fix this issue. Users are advised to migrate to the arrow crate, instead.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-119"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-30T20:09:56Z"
}

References

Affected packages

crates.io / arrow2

Package

Name: arrow2; View open source insights on deps.dev
Purl: pkg:cargo/arrow2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.18.0