Skip to content

Add advisory for bcrypt panic regression (CVE candidate)#3029

Merged
djc merged 1 commit into
rustsec:mainfrom
MuhammedHussein17:MuhammedHussein17-patch-1
Jul 4, 2026
Merged

Add advisory for bcrypt panic regression (CVE candidate)#3029
djc merged 1 commit into
rustsec:mainfrom
MuhammedHussein17:MuhammedHussein17-patch-1

Conversation

@MuhammedHussein17

Copy link
Copy Markdown
Contributor

Adds an advisory for the panic in bcrypt::verify on non-ASCII hash input,
fixed in bcrypt 0.19.2 (Keats/rust-bcrypt PR #103).

Affected crate(s)

  • bcrypt — 13,644,923 all-time downloads on crates.io

Links to upstream issue(s) or PR(s)

Prior to filing this advisory, the vulnerability was disclosed privately
to the maintainer (Vincent Prouillet / @Keats) via email. He acknowledged
the report, requested a PR, and merged the fix. He was notified in advance
of my intent to file this informational advisory with RustSec.

Severity

Denial of service via panic in str::slice_error_fail. Any Rust code
calling bcrypt::verify or HashParts::from_str with an attacker-
controlled hash string will crash. Limited to DoS because the crate is
#![forbid(unsafe_code)] — no memory corruption is possible.

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L = 5.3 (Medium)

Affected versions: >= 0.19.0, < 0.19.2

Checklist

  • Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

Adds an advisory for the panic in bcrypt::verify on non-ASCII hash input,
fixed in bcrypt 0.19.2 (Keats/rust-bcrypt PR rustsec#103).

Affected: >= 0.19.0, < 0.19.2
Fixed: >= 0.19.2
@djc
djc merged commit d1ac26f into rustsec:main Jul 4, 2026
1 check passed
@djc

djc commented Jul 4, 2026

Copy link
Copy Markdown
Member

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants