CVE-2025-53604
📋 TL;DR
The web-push crate for Rust before version 0.10.3 is vulnerable to denial of service through memory exhaustion. Attackers can send HTTP requests with excessively large Content-Length headers, causing the server to allocate massive amounts of memory. This affects any Rust application using the vulnerable web-push crate for web push notification functionality.
💻 Affected Systems
- web-push Rust crate
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, potentially causing application crashes and requiring manual intervention to restore service.
Likely Case
Temporary service degradation or intermittent outages as memory consumption spikes from malicious requests.
If Mitigated
Minimal impact with proper request validation, rate limiting, and memory monitoring in place.
🎯 Exploit Status
Exploitation requires sending HTTP requests to the vulnerable service, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.3
Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0015.html
Restart Required: Yes
Instructions:
1. Update Cargo.toml to specify web-push >= 0.10.3
2. Run 'cargo update web-push'
3. Rebuild and redeploy your application
4. Restart any running services using the updated crate
🔧 Temporary Workarounds
Implement request size validation
allAdd middleware or reverse proxy configuration to reject requests with Content-Length headers exceeding reasonable limits
# Example nginx configuration
client_max_body_size 10m;
# Example Apache configuration
LimitRequestBody 10485760
Use external HTTP client
allConfigure web-push to use an external HTTP client implementation instead of the vulnerable built-in client
// In Rust code:
let client = reqwest::Client::new();
let service = WebPushServiceBuilder::new(client).build();
🧯 If You Can't Patch
- Implement rate limiting and request filtering at network perimeter
- Deploy memory monitoring and alerting to detect abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or run 'cargo tree | grep web-push' to see if version < 0.10.3 is usedCheck Version:
cargo tree | grep web-pushVerify Fix Applied:
Verify web-push version is 0.10.3 or higher in Cargo.lock after update📡 Detection & Monitoring
Log Indicators:
- HTTP requests with abnormally large Content-Length values
- Sudden spikes in memory usage
- Application crashes or restarts
Network Indicators:
- HTTP requests with Content-Length headers exceeding normal bounds
- Repeated requests from single sources
SIEM Query:
source="web_server" Content-Length > 100000000 | stats count by src_ip