der is vulnerable to Denial of Service (DoS)
53
Medium Risk
The der crate sorts the elements of a DER SET OF at decode time using a hand-rolled insertion sort in der_sort. That sort runs in O(n^2) time, so a crafted reverse-sorted SET OF forces roughly n(n-1)/2 comparisons and swaps on every SetOfVec or heapless SetOf decode. An attacker who supplies untrusted DER, such as a certificate parsed through x509-cert or a CMS structure, can make a single decode consume large amounts of CPU time and cause denial of service. The fix replaces the insertion sort with an in-place O(n log n) sort_unstable_by while preserving DER ordering and duplicate handling.
You are affected if you are using a version that falls within the vulnerable range and your application decodes untrusted DER-encoded SET OF values, for example when parsing X.509 certificates or CMS structures.
der is vulnerable to Denial of Service (DoS) in versions 0.6.0 - 0.8.0.
Upgrade the der library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant