GHSA-WWQ9-3CPR-MM53 — Vulnetix

GHSA-WWQ9-3CPR-MM53 PUBLISHED

Borsh serialization of HashMap is non-canonical

Affected Products

Vendor	Product	Versions
crates.io	hashbrown	0.15.0, 0.15.0, 0.15.0

Timeline

Dec 4, 2024 CVE Published
Oct 31, 2025 CVE Updated

References

https://github.com/kayabaNerve/hashbrown-borsh-poc url
https://github.com/rust-lang/hashbrown product
https://rustsec.org/advisories/RUSTSEC-2024-0402.html url
GitHub Advisory GHSA-wwq9-3cpr-mm53 vendor-advisory
https://github.com/rust-lang/hashbrown/issues/576 url

Open in Interactive Console →

$ Console Community · 100/wk Open console ›