{"id":"RUSTSEC-2023-0053","summary":"rustls-webpki: CPU denial of service in certificate path building","details":"When this crate is given a pathological certificate chain to validate, it will\nspend CPU time exponential with the number of candidate certificates at each\nstep of path building.\n\nBoth TLS clients and TLS servers that accept client certificate are affected.\n\nWe now give each path building operation a budget of 100 signature verifications.\n\nThe original `webpki` crate is also affected.\n\nThis was previously reported in the original crate\n\u003chttps://github.com/briansmith/webpki/issues/69\u003e and re-reported to us\nrecently by Luke Malinowski.","aliases":["GHSA-fh2r-99q2-6mmg"],"modified":"2026-02-04T02:53:13.731040Z","published":"2023-08-22T12:00:00Z","related":["CVE-2018-16875"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rustls-webpki"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2023-0053.html"}],"affected":[{"package":{"name":"rustls-webpki","ecosystem":"crates.io","purl":"pkg:cargo/rustls-webpki"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.100.2"},{"introduced":"0.101.0"},{"fixed":"0.101.4"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"cvss":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0053.json","categories":["denial-of-service"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}