CVE-2021-29935: 
Rust vulnerability analysis and mitigation

An issue was discovered in the rocket crate before 0.4.7 for Rust, identified as CVE-2021-29935. The vulnerability involves a potential use-after-free condition in the uri::Formatter component when a user-provided function panics. This vulnerability was reported on February 9, 2021, and officially issued on March 26, 2021. The issue affects all versions of the rocket crate prior to version 0.4.7 (RustSec Advisory).

The vulnerability stems from unsafe memory handling in the uri::Formatter component. The affected code transmuted a &str to a &'static str before pushing it into a StackVec, with the value being popped later in the same function. While this was assumed to be safe due to the reference remaining valid during the method's stack lifetime, the security assumption breaks when a user-provided function panics between the push and pop operations. This can result in an illegal static reference to the string. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (RustSec Advisory).

The vulnerability could result in a freed string being used during panic unwinding (such as in a Drop implementation) or after the panic (e.g., through catch_unwind). This can lead to memory corruption and potential security implications including information disclosure, integrity issues, and availability problems (RustSec Advisory).

The vulnerability was fixed in version 0.4.7 of the rocket crate through commit e325e2f, which implemented a guard object to ensure that the &'static str is properly dropped inside the function. Users are advised to upgrade to version 0.4.7 or later to address this security issue (RustSec Advisory).