GHSA-rhfx-m35p-ff5j: `IterMut` violates Stacked Borrows by invalidating internal pointer

January 7, 2026

Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::next_back methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer.

This invalidates the shared pointer held by the internal HashMap, violating Stacked Borrows rules.

References

github.com/advisories/GHSA-rhfx-m35p-ff5j
github.com/jeromefroe/lru-rs
github.com/jeromefroe/lru-rs/pull/224
rustsec.org/advisories/RUSTSEC-2026-0002.html

Code Behaviors & Features

Detect and mitigate GHSA-rhfx-m35p-ff5j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →