RUSTSEC-2024-0404

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2024-0404
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0404.json
JSON Data
https://api.test.osv.dev/v1/vulns/RUSTSEC-2024-0404
Aliases
Published
2024-09-08T12:00:00Z
Modified
2025-10-28T06:29:49.793210Z
Summary
Unsoundness in anstream
Details

When given a valid UTF8 string "ö\x1b😀", the function in crates/anstream/src/adapter/strip.rs will be confused. The UTF8 bytes are \xc3\xb6 then \x1b then \xf0\x9f\x98\x80.

When looping over "non-printable bytes" \x1b\xf0 will be considered as some non-printable sequence.

This will produce a broken str from the incorrectly segmented bytes via str::fromutf8unchecked, and that should never happen.

Full credit goes to @Ralith who reviewed this code and asked @burakemir to follow up.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / anstream

Package

Name
anstream
View open source insights on deps.dev
Purl
pkg:cargo/anstream

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.6.8

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "arch": [],
        "functions": [
            "anstream::adapter::strip_str"
        ]
    }
}

Database specific

categories

[]

cvss

null

informational

"unsound"