How severe is GHSA-fp5x-7m4q-449f?

No CVSS score has been assigned to GHSA-fp5x-7m4q-449f yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-fp5x-7m4q-449f?

GHSA-fp5x-7m4q-449f affects the following packages: direct_ring_buffer (crates.io). Ecosystems affected: crates.io.

How do I fix GHSA-fp5x-7m4q-449f?

Update direct_ring_buffer to 0.2.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fp5x-7m4q-449f is resolved across your whole dependency graph.

How do I detect GHSA-fp5x-7m4q-449f in my crates.io dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for direct_ring_buffer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-fp5x-7m4q-449f if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-fp5x-7m4q-449f?

O3 pinpoints whether GHSA-fp5x-7m4q-449f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-fp5x-7m4q-449f actively exploited in the wild?

No public exploit code has been indexed for GHSA-fp5x-7m4q-449f yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-fp5x-7m4q-449f published, and has it been updated?

GHSA-fp5x-7m4q-449f was published on October 21, 2025 and was last updated on October 28, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🦀 crates.io

GHSA-fp5x-7m4q-449f

Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer

Also known asRUSTSEC-2025-0105

Published

Oct 21, 2025

Updated

Oct 28, 2025

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

🦀direct_ring_buffer

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

The safe function create_ring_buffer allocates a buffer using Vec::with_capacity followed by set_len, creating a Box<[T]> containing uninitialized memory.

This leads to undefined behavior when functions like write_slices create typed slices (e.g., &mut [bool]) over the uninitialized memory, violating Rust's validity invariants. The issue has been confirmed using Miri.

Fixed in version 0.2.2 by using resize_with to properly initialize the buffer with T::default(), adding a T: Default bound to ensure sound initialization.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🦀crates.io	`direct_ring_buffer`	all versions	0.2.2

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for direct_ring_buffer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update direct_ring_buffer to 0.2.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fp5x-7m4q-449f is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-fp5x-7m4q-449f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-fp5x-7m4q-449f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

The safe function `create_ring_buffer` allocates a buffer using `Vec::with_capacity` followed by `set_len`, creating a `Box<[T]>` containing uninitialized memory. This leads to undefined behavior when functions like `write_slices` create typed slices (e.g., `&mut [bool]`) over the uninitialized memory, violating Rust's validity invariants. The issue has been confirmed using Miri. Fixed in version 0.2.2 by using `resize_with` to properly initialize the buffer with `T::default()`, adding a `T: Default` bound to ensure sound initialization.

O3 Security · Impact-Aware SCA

Is GHSA-fp5x-7m4q-449f in your dependencies?

O3 detects GHSA-fp5x-7m4q-449f across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works