GHSA-mj73-j457-8x9q: maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe

December 2, 2025 (updated December 11, 2025)

maxminddb prior to version 0.27 declared Reader::open_mmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active.

References

github.com/advisories/GHSA-mj73-j457-8x9q
github.com/oschwald/maxminddb-rust
github.com/oschwald/maxminddb-rust/commit/98f0e4fff9678c841ed33f3b8a46322f6163c32a
github.com/oschwald/maxminddb-rust/issues/86
rustsec.org/advisories/RUSTSEC-2025-0132.html

Code Behaviors & Features

Detect and mitigate GHSA-mj73-j457-8x9q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →