Login Sign Up

CVE-2020-25575

9.8 CRITICAL

📋 TL;DR

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw when downcasting, which could lead to memory corruption or undefined behavior. It affects applications using this unsupported error handling library, potentially allowing attackers to execute arbitrary code or crash applications. Only products using this no-longer-maintained crate are vulnerable.

💻 Affected Systems

Products:
  • failure crate for Rust
Versions: through 0.1.5
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the failure crate. The crate is no longer maintained and users should migrate to alternative error handling libraries.

📦 What is this software?

Failure by Failure Project

View all CVEs affecting Failure →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Application crashes (denial of service) or memory corruption leading to unpredictable behavior.

🟢

If Mitigated

Limited impact if applications don't use vulnerable downcasting features or have proper sandboxing.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires specific conditions where vulnerable downcasting is used. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0036.html

Restart Required: Yes

Instructions:

1. Migrate from failure crate to alternative error handling libraries like anyhow or thiserror. 2. Update Cargo.toml to remove failure dependency. 3. Refactor code to use new error handling approach. 4. Rebuild and redeploy applications.

🔧 Temporary Workarounds

Migrate to alternative error handling

all

Replace failure crate usage with maintained alternatives like anyhow or thiserror

cargo remove failure
cargo add anyhow

🧯 If You Can't Patch

  • Isolate affected applications in containers or sandboxes to limit potential damage
  • Implement strict input validation and monitoring for abnormal application behavior

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for failure crate version 0.1.5 or earlier

Check Version:

grep -r "failure" Cargo.toml && grep -A2 -B2 "failure" Cargo.lock

Verify Fix Applied:

Verify failure crate is removed from dependencies and application builds successfully with alternative error handling

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory corruption errors
  • Unexpected panics in Rust applications

Network Indicators:

  • Unusual outbound connections from affected applications

SIEM Query:

process.name: "rust_app" AND (event.type: "crash" OR event.type: "panic")

📊 Metadata

CVE ID: CVE-2020-25575
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: September 14, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25575, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)