CVE-2026-25727: time vulnerable to stack exhaustion Denial of Service attack
(updated )
When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.
References
- github.com/advisories/GHSA-r6v5-fh4h-64xc
- github.com/time-rs/time
- github.com/time-rs/time/blob/main/CHANGELOG.md
- github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee
- github.com/time-rs/time/releases/tag/v0.3.47
- github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc
- nvd.nist.gov/vuln/detail/CVE-2026-25727
- rustsec.org/advisories/RUSTSEC-2026-0009.html
Code Behaviors & Features
Detect and mitigate CVE-2026-25727 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →