Intel

AIKIDO-2026-534143

statsig-rust is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

45

Medium Risk

This Affects:

RUSTstatsig-rust
0.4.0 - 0.19.4
Fixed in 0.19.5
Are you affected? Scan for Free

TL;DR

The Rust SDK deduplicates exposure events in ExposureSampling using an in-memory set keyed by spec, rule, and user hashes. The should_dedupe_exposure path inserts a new key for every unique exposure but enforces the key cap only during a periodic reset instead of on each insertion. Under high unique-user cardinality the exposure_dedupe_set can grow far beyond its intended limit between resets, driving unbounded memory growth and potential process memory exhaustion. The fix replaces the unbounded set with a bounded LruCache that evicts entries once a configurable maximum number of keys is reached.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your service logs Statsig exposure events for a large number of unique users between dedupe-cache resets.

Background info

statsig-rust is vulnerable to Denial of Service (DoS) in versions 0.4.0 - 0.19.4.

How to fix this

Upgrade the statsig-rust library to the patch version.