GHSA-x77x-7mmh-cxv3: 
Rust Análisis y mitigación de vulnerabilidades

The ncurses Rust library (ncurses-rs) contains critical memory safety vulnerabilities affecting multiple string reading functions, identified as GHSA-x77x-7mmh-cxv3. The vulnerability was discovered and reported on October 21, 2025, and officially published on October 22, 2025. The issue affects all versions up to and including 6.0.1 of the ncurses crate, with the repository being archived and unmaintained (GitHub Advisory, RustSec Advisory).

The vulnerability stems from improper implementation of string reading functions that expose uninitialized memory by incorrectly using Vec::setlen() and String::setlen(). When no null terminator is found in the read data, these functions set the length to the buffer's capacity instead of the actual data length. This affects 11 different functions including inchnstr, inchstr, innstr, and others. The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Moderate) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P and is categorized as CWE-125 (Out-of-bounds Read) (GitHub Advisory).

The vulnerability allows reading uninitialized memory which may contain sensitive data from previous allocations. This poses a significant security risk as it could potentially expose confidential information that was previously stored in the memory space (GitHub Advisory, RustSec PR).

No official patches or fixes are available as the ncurses-rs repository is archived and unmaintained. Users are advised to consider alternative libraries for ncurses functionality in Rust (GitHub Advisory, RustSec Advisory).

The vulnerability was confirmed by project maintainers, and the repository has been officially archived. The archive announcement was made public on Reddit, indicating the end of active maintenance for the project (RustSec PR).