trash is vulnerable to Denial of Service (DoS)
25
Low Risk
The FreeDesktop trash implementation in src/freedesktop.rs uses assert!(virtually_exists(...)) in metadata() and restore_all() to check that the file referenced by a .trashinfo entry still exists in trash/files. When an orphaned or malformed .trashinfo entry points to a missing target, the assertion fails and the library panics instead of returning an error, aborting the calling process. An attacker who can place or influence trash entries can crash any application that reads metadata for or restores trash items, such as a file manager. The fix replaces the assertions with ensure_virtually_exists(), which returns an Error::FileSystem NotFound error so callers can handle the missing file gracefully.
You are affected if you are using a version that falls within the vulnerable range and your application runs on a FreeDesktop (Linux) environment and calls the trash metadata or restore APIs on trash contents you do not fully control.
trash is vulnerable to Denial of Service (DoS) in versions 2.0.0 - 5.2.5.
Upgrade the trash library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant