rand is vulnerable to Deserialization of Untrusted Data
37
Low Risk
The UniformChar distribution in rand stores an inner UniformInt<u32> sampler and, when the serde feature is enabled, derives Deserialize for it. Deserializing a UniformChar from untrusted input bypasses the validating constructors, so the sampler can carry a range whose output exceeds the valid Unicode scalar range. Sampling such a distribution then reaches an unchecked char conversion that produces an invalid char, causing undefined behavior and a memory safety violation. The fix validates the sampler range during deserialization and rejects samplers whose maximum output exceeds the valid char range.
You are affected if you are using a version that falls within the vulnerable range and you deserialize a UniformChar distribution from untrusted input with the serde feature enabled.
rand is vulnerable to Deserialization of Untrusted Data in versions 0.8.0 - 0.10.1.
Upgrade the rand library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant