{"id":"RUSTSEC-2023-0055","summary":"Multiple soundness issues","details":"`lexical` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n 1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126)\n\nThe crate also has some correctness issues.\n\n## Alternatives\n\nFor quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.\n\nFor quickly parsing integers, consider `atoi` and `btoi` crates (100% safe code). `atoi_radix10` provides even faster parsing, but only with `-C target-cpu=native`, and at the cost of some `unsafe`.\n\nFor formatting integers in a `#[no_std]` context consider the [`numtoa`](https://crates.io/crates/numtoa) crate.\n\nFor working with big numbers consider `num-bigint` and `num-traits`.","aliases":["GHSA-c2hm-mjxv-89r4"],"modified":"2026-02-04T02:37:30.134688Z","published":"2023-09-03T12:00:00Z","related":["RUSTSEC-2023-0086"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/lexical"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2023-0055.html"},{"type":"REPORT","url":"https://github.com/Alexhuszagh/rust-lexical/issues/102"},{"type":"REPORT","url":"https://github.com/Alexhuszagh/rust-lexical/issues/101"},{"type":"REPORT","url":"https://github.com/Alexhuszagh/rust-lexical/issues/95"},{"type":"REPORT","url":"https://github.com/Alexhuszagh/rust-lexical/issues/104"},{"type":"REPORT","url":"https://github.com/Alexhuszagh/rust-lexical/issues/126"}],"affected":[{"package":{"name":"lexical","ecosystem":"crates.io","purl":"pkg:cargo/lexical"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"7.0.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"os":[],"arch":[]}},"database_specific":{"informational":"unsound","categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0055.json","cvss":null}}],"schema_version":"1.7.3"}