AIKIDO-2025-10554
sentencepiece is vulnerable to Heap-based Buffer Overflow
71
High Risk
This Affects:
sentencepieceTL;DR
Affected versions of this package are vulnerable to a Heap Overflow in the PrefixMatcher Constructor due to improper handling of non-null-terminated strings during double-array trie construction. The vulnerability occurs when PrefixMatcher initializes its trie using raw pointers from absl::string_view elements without ensuring null termination. An attacker can exploit this vulnerability by crafting input strings that lack null terminators, causing the trie builder to read beyond allocated heap boundaries while scanning for string endings. This heap overflow can corrupt adjacent memory, potentially enabling arbitrary code execution, sensitive data leakage, or application crashes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
sentencepiece is vulnerable to Heap-based Buffer Overflow in versions 0.1.6 - 0.2.0.
How to fix this
Upgrade the sentencepiece library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant