Publish GHSA-x77x-7mmh-cxv3

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-x77x-7mmh-cxv3/GHSA-x77x-7mmh-cxv3.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x77x-7mmh-cxv3",
+  "modified": "2025-10-22T17:08:50Z",
+  "published": "2025-10-22T17:08:50Z",
+  "aliases": [],
+  "summary": "ncurses exposes uninitialized memory in string reading functions",
+  "details": "Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found.\n\nThis allows reading uninitialized memory which may contain sensitive data from previous allocations.\n\nThe ncurses-rs repository is archived and unmaintained.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "ncurses"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "6.0.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/RustSec/advisory-db/pull/2427"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jeaye/ncurses-rs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0108.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T17:08:50Z",
+    "nvd_published_at": null
+  }
+}