{"id":"RUSTSEC-2023-0052","summary":"webpki: CPU denial of service in certificate path building","details":"When this crate is given a pathological certificate chain to validate, it will\nspend CPU time exponential with the number of candidate certificates at each\nstep of path building.\n\nBoth TLS clients and TLS servers that accept client certificate are affected.\n\nThis was previously reported in\n\u003chttps://github.com/briansmith/webpki/issues/69\u003e and re-reported recently\nby Luke Malinowski.\n\nwebpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.","aliases":["GHSA-8qv2-5vq6-g2g7"],"modified":"2026-02-04T03:53:21.617323Z","published":"2023-08-22T12:00:00Z","related":["CVE-2018-16875"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/webpki"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2023-0052.html"}],"affected":[{"package":{"name":"webpki","ecosystem":"crates.io","purl":"pkg:cargo/webpki"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.22.2"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"categories":["denial-of-service"],"informational":null,"cvss":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0052.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}