RUSTSEC-2021-0041
on 2021-03-18: Denial of service through parsing payloads with too big exponent
This crate has no reviews yet. To add a review, set up your cargo-crev.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open parse_duration. Alternatively, you can download the tarball of parse_duration v2.1.1 or view the source online.
The
parse_duration::parsefunction allows for parsing duration strings with exponents like5e5swhere under the hood, theBigInttype along with thepowfunction are used for such payloads. Passing an arbitrarily big exponent makes theparse_duration::parsefunction to process the payload for a very long time taking up CPU and memory.This allows an attacker to cause a DoS if the
parse_duration::parsefunction is used to process untrusted input.CVE-2021-29932
GHSA-qpgv-g792-wh6x