GHSA-8f24-6m29-wm2r
use-after-free in tracing
Blast Radius
tracingReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
The implementation of the Instrumented::into_inner method in affected versions of this crate contains undefined behavior due to incorrect use of std::mem::forget The function creates *const pointers to self, calls mem::forget(self), and then moves values out of those pointers using std::ptr::read.
// To manually destructure `Instrumented` without `Drop`, we
// move it into a ManuallyDrop and use pointers to its fields
let span: *const Span = &this.span;
let inner: *const ManuallyDrop<T> = &this.inner;
mem::forget(self);
// SAFETY: Those pointers are valid for reads, because `Drop` didn't
// run, and properly aligned, because `Instrumented` isn't
// `#[repr(packed)]`.
let _span = unsafe { span.read() };
let inner = unsafe { inner.read() };
However, the mem::forget documentation states:
Any resources the value manages, such as heap memory or a file handle, will linger forever in an unreachable state. However, it does not guarantee that pointers to this memory will remain valid.
This means that these pointers are no longer valid. This could result in a stack use-after-free if LLVM chooses to reuse self's stack slot for a rebinding after the call to std::mem::forget.
This undefined behavior has not been observed to cause miscompilation as of Rust 1.73.0. However, any use of this method with the affected versions of tracing are unsound.
The flaw was corrected in commit 20a1762 (PR #2765) by replacing the use of std::mem::forget with std::mem::ManuallyDrop, ensuring that the stack slot is not reused and the pointers remain valid when they are read. The fix is
published in tracing v0.1.40. Affected versions have been yanked from crates.io.
Thanks to Taylor Cramer and Manish Goregaokar for finding and correcting this issue!
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | tracing | ≥ 0.1.38&&< 0.1.40 | 0.1.40 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for tracing. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update tracing to 0.1.40 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8f24-6m29-wm2r is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8f24-6m29-wm2r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-8f24-6m29-wm2r. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-8f24-6m29-wm2r in your dependencies?
O3 detects GHSA-8f24-6m29-wm2r across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.