{"id":"GHSA-rwq6-crjg-9cpw","summary":"ic-cdk has a memory leak when calling a canister method via `ic_cdk::call`","details":"When a canister method is called via `ic_cdk::call*`, a new Future `CallFuture` is created  and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called `CallFutureState`.  A bug in the polling implementation of the `CallFuture` allows multiple references to be held for this internal state and not all references were dropped before the `Future` is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak. \n\n### Impact\nCanisters built in Rust with `ic_cdk` and `ic_cdk_timers` are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. **In the worst case, this could lead to heap memory exhaustion triggered by an attacker.**\n\nMotoko based canisters are not affected by the bug.\n\n### Patches\nThe patch has been backported to all minor versions between `\u003e= 0.8.0, \u003c= 0.15.0`. The patched versions available are `0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1` and their previous versions have been yanked. \n\n### Workarounds\nThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of `ic_cdk` to avoid running out of Wasm heap memory. \n\n\u003e [!NOTE]  \n\u003e Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it's only a temporary solution.\n\n### References\n- [dfinity/cdk-rs/pull/509](https://github.com/dfinity/cdk-rs/pull/509)\n- [ic_cdk docs](https://docs.rs/ic-cdk/latest/ic_cdk/)\n- [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)","aliases":["CVE-2024-7884","RUSTSEC-2024-0372"],"modified":"2024-09-09T14:05:39Z","published":"2024-09-05T16:44:27Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-401"],"github_reviewed_at":"2024-09-05T16:44:27Z","nvd_published_at":"2024-09-05T13:15:11Z","severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/dfinity/cdk-rs/security/advisories/GHSA-rwq6-crjg-9cpw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7884"},{"type":"WEB","url":"https://github.com/dfinity/cdk-rs/pull/509"},{"type":"WEB","url":"https://github.com/dfinity/cdk-rs/commit/bd17d57a7b8ca59665fea5fad6143ca02724d03b"},{"type":"WEB","url":"https://docs.rs/ic-cdk/latest/ic_cdk"},{"type":"PACKAGE","url":"https://github.com/dfinity/cdk-rs"},{"type":"WEB","url":"https://internetcomputer.org/docs/current/references/ic-interface-spec"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2024-0372.html"}],"affected":[{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.8.0"},{"fixed":"0.8.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.9.0"},{"fixed":"0.9.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.10.0"},{"fixed":"0.10.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.11.0"},{"fixed":"0.11.6"}]}],"database_specific":{"last_known_affected_version_range":"\u003c 0.11.5","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.12.0"},{"fixed":"0.12.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.13.0"},{"fixed":"0.13.5"}]}],"database_specific":{"last_known_affected_version_range":"\u003c 0.13.4","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.14.0"},{"fixed":"0.14.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}},{"package":{"name":"ic_cdk","ecosystem":"crates.io","purl":"pkg:cargo/ic_cdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.15.0"},{"fixed":"0.15.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-rwq6-crjg-9cpw/GHSA-rwq6-crjg-9cpw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}