{"id":"GHSA-927q-g9w9-pm54","summary":"Panic in mp3-metadata due to the lack of bounds checking","details":"The `get_id3()` methods used by `mp3_metadata::read_from_slice()` does not perform adequate bounds checking when recreating the tag due to the use of desynchronization.\n\nFixed in [Fix index error](https://github.com/GuillaumeGomez/mp3-metadata/pull/37), released as part of 0.4.0.","aliases":["RUSTSEC-2025-0027"],"modified":"2025-10-28T06:29:23.888737Z","published":"2025-04-30T17:41:16Z","database_specific":{"github_reviewed":true,"nvd_published_at":null,"severity":"MODERATE","cwe_ids":["CWE-119"],"github_reviewed_at":"2025-04-30T17:41:16Z"},"references":[{"type":"WEB","url":"https://github.com/GuillaumeGomez/mp3-metadata/issues/36"},{"type":"WEB","url":"https://github.com/GuillaumeGomez/mp3-metadata/pull/37"},{"type":"PACKAGE","url":"https://github.com/GuillaumeGomez/mp3-metadata"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2025-0027.html"}],"affected":[{"package":{"name":"mp3-metadata","ecosystem":"crates.io","purl":"pkg:cargo/mp3-metadata"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-927q-g9w9-pm54/GHSA-927q-g9w9-pm54.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"}]}