lemmy_db_schema-0.19.3.crate: 6 vulnerabilities (highest severity is: 7.5) #20
Description
Vulnerable Library - lemmy_db_schema-0.19.3.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (lemmy_db_schema version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-32650 |  High |
7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2024-27308 | High |
7.5 | mio-0.8.10.crate | Transitive | N/A* | ❌ |
| CVE-2025-4432 |  Medium |
5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-24898 | Medium |
4.8 | openssl-0.10.63.crate | Transitive | N/A* | ❌ |
| CVE-2024-12224 | Medium |
4.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-3416 |  Low |
3.7 | openssl-0.10.63.crate | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-32650
Vulnerable Libraries - rustls-0.21.10.crate, rustls-0.20.9.crate
rustls-0.21.10.crate
Rustls is a modern TLS library written in Rust.
Library home page: https://static.crates.io/crates/rustls/rustls-0.21.10.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- ❌ rustls-0.21.10.crate (Vulnerable Library)
rustls-0.20.9.crate
Rustls is a modern TLS library written in Rust.
Library home page: https://static.crates.io/crates/rustls/rustls-0.20.9.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- activitypub_federation-0.5.1-beta.1.crate
- actix-web-4.4.1.crate
- actix-tls-3.2.0.crate
- tokio-rustls-0.23.4.crate
- ❌ rustls-0.20.9.crate (Vulnerable Library)
- tokio-rustls-0.23.4.crate
- actix-tls-3.2.0.crate
- actix-web-4.4.1.crate
- activitypub_federation-0.5.1-beta.1.crate
Found in base branch: main
Vulnerability Details
Rustls is a modern TLS library written in Rust. "rustls::ConnectionCommon::complete_io" could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a "close_notify" message immediately after "client_hello", the server's "complete_io" will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.
Publish Date: 2024-04-19
URL: CVE-2024-32650
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6g7w-8wpp-frhj
Release Date: 2024-04-19
Fix Resolution: rustls - 0.21.11,0.22.4,0.23.5
Step up your Open Source Security Game with Mend here
CVE-2024-27308
Vulnerable Library - mio-0.8.10.crate
Lightweight non-blocking I/O.
Library home page: https://static.crates.io/crates/mio/mio-0.8.10.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- tokio-postgres-0.7.10.crate
- tokio-1.35.1.crate
- ❌ mio-0.8.10.crate (Vulnerable Library)
- tokio-1.35.1.crate
- tokio-postgres-0.7.10.crate
Found in base branch: main
Vulnerability Details
Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free. For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio. The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected. This vulnerability has been fixed in mio v0.8.11. All versions of mio between v0.7.2 and v0.8.10 are vulnerable. Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable. Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.
Publish Date: 2024-03-06
URL: CVE-2024-27308
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2025-4432
Vulnerable Libraries - ring-0.17.7.crate, ring-0.16.20.crate
ring-0.17.7.crate
Safe, fast, small crypto using Rust.
Library home page: https://static.crates.io/crates/ring/ring-0.17.7.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- rustls-0.21.10.crate
- rustls-webpki-0.101.7.crate
- ❌ ring-0.17.7.crate (Vulnerable Library)
- rustls-webpki-0.101.7.crate
- rustls-0.21.10.crate
ring-0.16.20.crate
Safe, fast, small crypto using Rust.
Library home page: https://crates.io/api/v1/crates/ring/0.16.20/download
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- tokio-postgres-rustls-0.10.0.crate
- ❌ ring-0.16.20.crate (Vulnerable Library)
- tokio-postgres-rustls-0.10.0.crate
Found in base branch: main
Vulnerability Details
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.
Publish Date: 2025-05-09
URL: CVE-2025-4432
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2025-0009.html
Release Date: 2025-05-09
Fix Resolution: ring - 0.17.12
Step up your Open Source Security Game with Mend here
CVE-2025-24898
Vulnerable Library - openssl-0.10.63.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.63.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- activitypub_federation-0.5.1-beta.1.crate
- reqwest-0.11.23.crate
- tokio-native-tls-0.3.1.crate
- native-tls-0.2.11.crate
- ❌ openssl-0.10.63.crate (Vulnerable Library)
- native-tls-0.2.11.crate
- tokio-native-tls-0.3.1.crate
- reqwest-0.11.23.crate
- activitypub_federation-0.5.1-beta.1.crate
Found in base branch: main
Vulnerability Details
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions "ssl::select_next_proto" can return a slice pointing into the "server" argument's buffer but with a lifetime bound to the "client" argument. In situations where the "sever" buffer's lifetime is shorter than the "client" buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate"openssl" version 0.10.70 fixes the signature of "ssl::select_next_proto" to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of "ssl::select_next_proto" in the callback passed to "SslContextBuilder::set_alpn_select_callback", code is only affected if the "server" buffer is constructed within the callback.
Publish Date: 2025-02-03
URL: CVE-2025-24898
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-02-03
Fix Resolution: openssl - 0.10.70
Step up your Open Source Security Game with Mend here
CVE-2024-12224
Vulnerable Libraries - idna-0.3.0.crate, idna-0.5.0.crate
idna-0.3.0.crate
IDNA (Internationalizing Domain Names in Applications) and Punycode.
Library home page: https://static.crates.io/crates/idna/idna-0.3.0.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- lemmy_utils-0.19.3.crate
- markdown-it-0.6.0.crate
- mdurl-0.3.1.crate
- ❌ idna-0.3.0.crate (Vulnerable Library)
- mdurl-0.3.1.crate
- markdown-it-0.6.0.crate
- lemmy_utils-0.19.3.crate
idna-0.5.0.crate
IDNA (Internationalizing Domain Names in Applications) and Punycode.
Library home page: https://static.crates.io/crates/idna/idna-0.5.0.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- url-2.5.0.crate
- ❌ idna-0.5.0.crate (Vulnerable Library)
- url-2.5.0.crate
Found in base branch: main
Vulnerability Details
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
Publish Date: 2025-05-30
URL: CVE-2024-12224
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2025-3416
Vulnerable Library - openssl-0.10.63.crate
OpenSSL bindings
Library home page: https://static.crates.io/crates/openssl/openssl-0.10.63.crate
Path to dependency file: /Cargo.toml
Path to vulnerable library: /Cargo.toml
Dependency Hierarchy:
- lemmy_db_schema-0.19.3.crate (Root Library)
- activitypub_federation-0.5.1-beta.1.crate
- reqwest-0.11.23.crate
- tokio-native-tls-0.3.1.crate
- native-tls-0.2.11.crate
- ❌ openssl-0.10.63.crate (Vulnerable Library)
- native-tls-0.2.11.crate
- tokio-native-tls-0.3.1.crate
- reqwest-0.11.23.crate
- activitypub_federation-0.5.1-beta.1.crate
Found in base branch: main
Vulnerability Details
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
Publish Date: 2025-04-08
URL: CVE-2025-3416
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://rustsec.org/advisories/RUSTSEC-2025-0022.html
Release Date: 2025-04-08
Fix Resolution: https://github.com/sfackler/rust-openssl.git - openssl-v0.10.72
Step up your Open Source Security Game with Mend here