Home > Vulnerability Database > WS-2023-0096

Mend.io Vulnerability Database

WS-2023-0096

Date: August 19, 2025

Affected versions of borsh cause undefined behavior when zero-sized-types (ZST) are parsed and the Copy/Clone traits are not implemented/derived. For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy (this can be achieved through a singleton), then accessing/writing to deserialized data will cause a segmentation fault. There is currently no way for borsh to read data without also providing a Rust type. Therefore, if not ZST are used for serialization, then you are not affected by this issue.

Language: RUST

Severity Score

8.8

Related Resources (6)

Url: https://crates.io/crates/borsh

Url: https://github.com/near/borsh-rs

Url: https://rustsec.org/advisories/RUSTSEC-2023-0033.html

Url: https://github.com/near/borsh-rs/pull/136

Url: https://github.com/near/borsh-rs/issues/19

Url: https://www.mend.io/vulnerability-database/WS-2023-0096

Severity Score

8.8

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0096

Date: August 19, 2025

Language: RUST

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?