rust-openssl: use after free in ssl::select_next_proto (CVE-2025-24898) #shorts

Summary

In today's episode, we discuss a critical vulnerability identified as CVE-2025-24898, affecting the rust-openssl library. This issue involves a use after free error that can potentially cause servers to crash or leak sensitive information. We delve into the specifics of the affected versions, solutions, and the potential impact on users.

Product details

The vulnerability affects rust-openssl, a set of OpenSSL bindings for the Rust programming language. This library is commonly used to facilitate secure network communication in Rust applications. The affected version range is 0.10.0 to 0.10.69, and users are advised to upgrade to version 0.10.70 where the issue is resolved.

Vulnerability type summary

CVE-2025-24898 is classified under CWE-416, which pertains to 'Use After Free' vulnerabilities. This type of issue occurs when a program continues to use memory space after it has been freed, leading to potential crashes or the exposure of sensitive data.

Details of the vulnerability

The vulnerability originates from the `ssl::select_next_proto` function in the affected rust-openssl library versions. It returns a slice pointing into the `server` argument's buffer with a lifetime improperly bound to the `client` argument. This mismanagement can lead to use after free conditions if the `server` buffer's lifetime is shorter than the `client` buffer's. As a result, this could cause the server to crash or disclose arbitrary memory content to the client. Rust developers are urged to upgrade to the patched version 0.10.70. The standard use of `ssl::select_next_proto` is only impacted if the `server` buffer is constructed within the callback method `SslContextBuilder::set_alpn_select_callback`.

Conclusion

CVE-2025-24898 is a critical vulnerability that underscores the challenges of memory safety in programming languages. While the Rust language prioritizes safety, dependencies like rust-openssl can introduce significant risks if not regularly updated. We recommend all developers using affected versions to upgrade to version 0.10.70 promptly to mitigate potential security breaches and ensure the robustness of their applications.

Watch the full video on YouTube: CVE-2025-24898

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-24898
Description
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate`openssl` version 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback.
Provider
GitHub_M
CWE / problem types
CWE-416: Use After Free
Affected Software Versions
sfackler:rust-openssl:[{'version': '>= 0.10.0, < 0.10.70', 'status': 'affected'}]
Date Published
2025-02-03T17:57:39.558Z
Last Updated
2025-02-12T20:51:24.929Z