Use After Free Vulnerability in rust-openssl Affecting OpenSSL Bindings
CVE-2025-24898

6.3MEDIUM

Key Information:

Vendor

Sfackler

Status
Rust-OpenSSL
Vendor
CVE Published:
3 February 2025

What is CVE-2025-24898?

The rust-openssl library, which provides OpenSSL bindings for the Rust programming language, contains a vulnerability in the ssl::select_next_proto function. This function can mistakenly return a memory slice that is bound to the lifetime of the client argument while actually pointing into the buffer of the server argument. In scenarios where the server buffer's lifetime is less than that of the client buffer, it may lead to a use after free condition. This vulnerability can potentially cause crashes of the server or expose arbitrary memory contents to clients. It is critical for users to update to version 0.10.70 of the openssl crate to mitigate this issue, especially in standard use cases involving callbacks via SslContextBuilder::set_alpn_select_callback.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

rust-openssl >= 0.10.0, < 0.10.70

References

https://github.com/sfackler/rust-openssl/security/advisor...
x_refsource_CONFIRM
https://github.com/sfackler/rust-openssl/pull/2360
x_refsource_MISC
https://crates.io/crates/openssl
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.