GHSA-mc22-5q92-8v85
MEDIUMMemory Safety Issue when using patch or merge on state and assign the result back to state
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
tremor-scriptReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Impact
This vulnerability is a memory safety Issue when using patch or merge on state and assign the result back to state.
In this case affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the state, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct.
Details
If affects the following two tremor-script language constructs:
- A Merge where we assign the result back to the target expression
and the expression to be merged needs to reference the
event:
let state = merge state of event end;
- A Patch where we assign the result back to the target expression
and the patch operations used need to reference the
event:
let state = patch state of insert event.key => event.value end;
For constructs like this (it does not matter what it references in the expression to be merged or the patch operations) an optimization was applied to manipulate the target value in-place, instead of cloning it.
Our Value struct, which underpins all event data in tremor-script, is representing strings as borrowed beef::Cow<'lifetime, str>,
that reference the raw data Vec<u8> the event is based upon. We keep this raw byte-array next to the Value structure inside our Event as a self-referential struct,
so we make sure that the structured Value and its references are valid across its whole lifetime.
The optimization was considered safe as long as it was only possible to merge or patch event data or static data.
When state was introduced to tremor-script (in version 0.7.3) a new possibility to keep Value data around for longer than the lifetime of an event emerged.
If event data is merged or patched into state without cloning it first, it can still reference keys or values from
the previous event, which will now be invalid. This allows access to those already freed regions of memory and to get their content out over the wire.
Patches
The issue has been patched in https://crates.io/crates/tremor-script/0.11.6 and https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6 via commit 1a2efcd by removing the optimization and always clone the target expression of a Merge or [Patch](https://www.tremor.rs/docs/tremor-script/index#patch.
Workarounds
If an upgrade is not possible, a possible workaround is to avoid the optimization
by introducing a temporary variable and not immediately reassigning to state:
let tmp = merge state of event end;
let state = tmp
References
The actual fix is applied in this PR: https://github.com/tremor-rs/tremor-runtime/pull/1217
For more information
If you have any questions or comments about this advisory:
- Open an issue on our repository tremor-rs/tremor-runtime
- Please join our discord https://chat.tremor.rs and reach out to the team.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | tremor-script | ≥ 0.7.3&&< 0.11.6 | 0.11.6 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for tremor-script. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update tremor-script to 0.11.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-mc22-5q92-8v85 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-mc22-5q92-8v85 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-mc22-5q92-8v85. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-mc22-5q92-8v85 in your dependencies?
O3 detects GHSA-mc22-5q92-8v85 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.