GHSA-3jch-9qgp-4844: Generated code can read and write out of bounds in safe code

June 16, 2022

Code generated by flatbuffers’ compiler is unsafe but not marked as such. See https://github.com/google/flatbuffers/issues/6627 for details.

All users that use generated code by flatbuffers compiler are recommended to:

not expose flatbuffer generated code as part of their public APIs
audit their code and look for any usage of follow, push, or any method that uses them (e.g. self_follow).
Carefuly go through the crates’ documentation to understand which “safe” APIs are not intended to be used.

References

github.com/advisories/GHSA-3jch-9qgp-4844
github.com/google/flatbuffers
github.com/google/flatbuffers/issues/6627
github.com/google/flatbuffers/pull/7518
github.com/google/flatbuffers/releases/tag/v22.9.29
rustsec.org/advisories/RUSTSEC-2021-0122.html

Code Behaviors & Features

Detect and mitigate GHSA-3jch-9qgp-4844 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →