statsig-rust is vulnerable to Denial of Service (DoS)
45
Medium Risk
The Rust SDK deduplicates exposure events in ExposureSampling using an in-memory set keyed by spec, rule, and user hashes. The should_dedupe_exposure path inserts a new key for every unique exposure but enforces the key cap only during a periodic reset instead of on each insertion. Under high unique-user cardinality the exposure_dedupe_set can grow far beyond its intended limit between resets, driving unbounded memory growth and potential process memory exhaustion. The fix replaces the unbounded set with a bounded LruCache that evicts entries once a configurable maximum number of keys is reached.
You are affected if you are using a version that falls within the vulnerable range and your service logs Statsig exposure events for a large number of unique users between dedupe-cache resets.
statsig-rust is vulnerable to Denial of Service (DoS) in versions 0.4.0 - 0.19.4.
Upgrade the statsig-rust library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant