AIKIDO-2026-370640
bcder is vulnerable to Improper Input Validation
41
Medium Risk
This Affects:
bcderTL;DR
The bcder crate decodes BER, CER, and DER ASN.1 data from untrusted inputs such as certificates and RPKI objects. Before 0.7.7, malformed UTF-8 in Utf8String parsing could construct invalid Rust characters via unsafe decoding, and gaps in BitString, Unsigned, and restricted-string handling allowed incorrect bit reads, charset bypass, panic on valid zero integers, and acceptance of non-conformant DER/CER bit strings. An attacker supplying crafted ASN.1 could trigger undefined behavior, integrity errors, or denial of service. Version 0.7.7 adds strict UTF-8 and charset validation, corrects BitString bounds and unused-bit checks, and returns canonical zero encodings without panicking.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
bcder is vulnerable to Improper Input Validation in versions 0.1.0 - 0.7.6.
How to fix this
Upgrade the bcder library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant