Home > Vulnerability Database > WS-2023-0422

Mend.io Vulnerability Database

WS-2023-0422

Date: August 19, 2025

Insufficient covariance check makes self_cell unsound: All public versions prior to 1.02 used an insufficient check to ensure that users correctly marked the dependent type as either covariant or not_covariant. This allowed users to mark a dependent as covariant even though its type was not covariant but invariant, for certain invariant types involving trait object lifetimes. One example for such a dependent type is type Dependent<'a> = RefCell<Box<dyn fmt::Display + 'a>>. Such a type allowed unsound usage in purely safe user code that leads to undefined behavior. The patched versions now produce a compile time error if such a type is marked as covariant.

Language: RUST

Severity Score

8.8

Related Resources (5)

Url: https://github.com/Voultapher/self_cell/issues/49

Url: https://github.com/Voultapher/self_cell

Url: https://rustsec.org/advisories/RUSTSEC-2023-0070.html

Url: https://github.com/Voultapher/self_cell/commit/50790f69b0f926c7b2936b9963c37616f5822e1e

Url: https://www.mend.io/vulnerability-database/WS-2023-0422

Severity Score

8.8

Weakness Type (CWE)

Insufficient Verification of Data Authenticity

CWE-345

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0422

Date: August 19, 2025

Language: RUST

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?