GHSA-2c6h-4899-wjxr: scaly: Multiple soundness issues in Rust safe APIs

April 4, 2026

Affected versions contain multiple safe APIs that can trigger undefined behavior:

Array<T>::index can perform an out-of-bounds read.
String::get_length can perform an out-of-bounds read.
String::append_character can perform an invalid write.
String::to_c_string can perform an out-of-bounds write.

These issues were reproduced against scaly 0.0.37 under Miri. The crate is unmaintained.

References

github.com/advisories/GHSA-2c6h-4899-wjxr
github.com/rschleitzer/Scaly
github.com/rustsec/advisory-db/issues/2594
rustsec.org/advisories/RUSTSEC-2026-0080.html

Code Behaviors & Features

Detect and mitigate GHSA-2c6h-4899-wjxr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →