Rust Vulnerabilities: Most Common Issues You Need to Know

While Rust provides memory safety advantages over C/C++, vulnerabilities still emerge — particularly when developers use unsafe code blocks or rely on libraries with security gaps.

The rust-lang CI/CD Vulnerability

A critical flaw in the rust-lang/rustc_codegen_gcc repository allowed unauthorized code execution in privileged CI/CD pipelines. The vulnerable workflow downloaded external libraries without proper verification, potentially exposing repository secrets and enabling source code tampering.

This is a supply chain attack vector — the repository itself wasn’t compromised, but the build pipeline was vulnerable to manipulation through unverified external dependencies.

Hyper Package DoS Vulnerability

Hyper, Rust’s most popular HTTP library with 67+ million downloads, lacks built-in request body size limits. The body::to_bytes() function allocates memory proportional to the Content-Length header without validation.

Why this is critical: Attackers can send small HTTP requests with artificially inflated Content-Length values, causing memory allocation panics and immediate process crashes — a zero-click denial-of-service attack.

// VULNERABLE: No size limit before allocation
let body = hyper::body::to_bytes(response.into_body()).await?;

// SAFE: Enforce a size cap before reading
const MAX_ALLOWED_RESPONSE_SIZE: u64 = 1024 * 1024; // 1MB

let response_content_length = match response.body().size_hint().upper() {
    Some(v) => v,
    None => MAX_ALLOWED_RESPONSE_SIZE + 1,
};

if response_content_length <= MAX_ALLOWED_RESPONSE_SIZE {
    let body = hyper::body::to_bytes(response.into_body()).await?;
    // process body
}

Unsafe Code Blocks

Rust’s safety guarantees only apply to safe code. Once you enter an unsafe block, you opt out of the borrow checker’s protections. Common issues inside unsafe blocks include:

• Use-after-free — accessing memory after it has been deallocated
• Data races — concurrent access without synchronization
• Null pointer dereferences — dereferencing raw pointers without checking for null
• Buffer overflows — writing past the end of allocated memory

// RISKY: Raw pointer arithmetic without bounds checking
unsafe {
    let ptr = data.as_ptr();
    let element = *ptr.add(index); // No bounds check
}

// SAFER: Let Rust check the bounds
let element = data.get(index).expect("Index out of bounds");

Dependency Vulnerabilities

Even if your Rust code is perfectly safe, third-party crates can introduce vulnerabilities. Use cargo audit to scan your dependency tree:

cargo install cargo-audit
cargo audit

The RustSec Advisory Database tracks known vulnerabilities in crates. Integrate this into your CI/CD pipeline to catch vulnerable dependencies before they reach production.

Key Takeaways

• Memory-safe languages still require vigilant development practices
• Minimize unsafe code and document every usage thoroughly
• Implement size limits when handling untrusted input (HTTP bodies, file reads, network data)
• Audit your dependency tree regularly with cargo audit
• Treat CI/CD pipeline security as seriously as application code security — a compromised build pipeline can expose your entire codebase

Detect Rust Security Issues Automatically

Offensive360 SAST supports Rust code scanning, identifying unsafe block misuse, missing input validation, and dependency vulnerabilities across your codebase.