Denial of Service Vulnerability in Rust's Web Push Clients
CVE-2025-53604

4MEDIUM

Key Information:

Vendor: Pimeys
Status: Web-push
Vendor: CVE Published:; 5 July 2025

What is CVE-2025-53604?

The web-push crate for Rust, prior to version 0.10.3, is susceptible to a denial of service attack where a crafted large integer in the Content-Length header can lead to excessive memory consumption in built-in clients. This vulnerability could allow attackers to exhaust server resources, impacting the availability of services utilizing the affected crate. Developers are encouraged to upgrade to the latest version to mitigate this risk.

Affected Version(s)

web-push 0 < 0.10.3

References

https://rustsec.org/advisories/RUSTSEC-2025-0015.html

https://github.com/pimeys/rust-web-push/pull/68

https://crates.io/crates/web-push

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 5, 2025
Vulnerability Reserved
Jul 5, 2025

Pimeys

What is CVE-2025-53604?

Affected Version(s)

References

CVSS V3.1

Timeline