pygeohash is vulnerable to Out-of-Bounds Read
41
Medium Risk
The C extension decoder in pygeohash.cgeohash.geohash_module indexes a fixed 128-entry base32_decode_map table using each input byte cast to a signed int. When a geohash string contains a byte >= 128 (for example multibyte UTF-8), that cast produces a negative index and the decoder reads outside the lookup table. The out-of-bounds read can yield incorrect decode results and, depending on process memory layout, undefined behavior. The fix casts each character to unsigned char and rejects any byte >= 128 with ValueError("Invalid character in geohash") before the table lookup.
You are affected if you are using a version that falls within the vulnerable range and your application decodes untrusted geohash strings.
pygeohash is vulnerable to Out-of-Bounds Read in versions 3.0.0 - 3.2.2.
Upgrade the pygeohash library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant