{"id":"RUSTSEC-2025-0023","summary":"Broadcast channel calls clone in parallel, but does not require `Sync`","details":"The broadcast channel internally calls `clone` on the stored value when\nreceiving it, and only requires `T:Send`. This means that using the broadcast\nchannel with values that are `Send` but not `Sync` can trigger unsoundness if\nthe `clone` implementation makes use of the value being `!Sync`.\n\nThank you to Austin Bonander for finding and reporting this issue.","aliases":["GHSA-rr8g-9fpq-6wmg"],"modified":"2025-10-28T06:29:26.130595Z","published":"2025-04-07T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tokio"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0023.html"},{"type":"WEB","url":"https://github.com/tokio-rs/tokio/pull/7232"}],"affected":[{"package":{"name":"tokio","ecosystem":"crates.io","purl":"pkg:cargo/tokio"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.2.5"},{"fixed":"1.38.2"},{"introduced":"1.39.0"},{"fixed":"1.42.1"},{"introduced":"1.43.0"},{"fixed":"1.43.1"},{"introduced":"1.44.0"},{"fixed":"1.44.2"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0023.json","cvss":null,"categories":["memory-corruption"],"informational":"unsound"}}],"schema_version":"1.7.3"}