GHSA-pph8-gcv7-4qj5

Source

https://github.com/advisories/GHSA-pph8-gcv7-4qj5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-pph8-gcv7-4qj5/GHSA-pph8-gcv7-4qj5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pph8-gcv7-4qj5

Published

2025-04-02T13:19:19Z

Modified

2025-04-02T13:19:19Z

Severity

2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

PyO3 Risk of buffer overflow in `PyString::from_object`

Details

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-125"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T13:19:19Z"
}

References

Affected packages

crates.io / pyo3

Package

Name: pyo3; View open source insights on deps.dev
Purl: pkg:cargo/pyo3

Affected ranges

Type: SEMVER
Events: Introduced

0.1.0

Fixed

0.24.1