Improper Control of a Resource Through its Lifetime Affecting tokio package, versions >=1.39.0 <1.43.1>=0.2.5 <1.38.2>=1.44.0 <1.44.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-TOKIO-9804284
- published24 Apr 2025
- disclosed7 Apr 2025
- creditAustin Bonander
Introduced: 7 Apr 2025
New CVE NOT AVAILABLE CWE-664 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade tokio to version 1.43.1, 1.38.2, 1.44.2 or higher.
Overview
tokio is an An event-driven, non-blocking I/O platform for writing asynchronous I/O backed applications.
Affected versions of this package are vulnerable to Improper Control of a Resource Through its Lifetime due to the improper internal handling of the clone operation on non-Sync types within the broadcast channel. An attacker can exploit this behavior to cause unsoundness in the system by using types that are Send but not Sync.