CVE-2024-51756: 
Rust vulnerability analysis and mitigation

CVE-2024-51756 affects the cap-std project, which provides libraries for writing capability-based code. The vulnerability was discovered in the filesystem sandbox implementation on Windows, where it failed to block access to special device filenames using superscript digits (e.g., 'COM¹', 'COM²', 'LPT⁰', 'LPT¹'). The issue was disclosed on November 5, 2024, and affects versions prior to 3.4.1 of cap-std, cap-primitives, and cap-async-std packages (GitHub Advisory).

The vulnerability stems from incomplete filtering of Windows special device filenames in the sandbox implementation. While the system blocked standard device names like 'COM1' and 'LPT1', it failed to recognize and block their superscript digit variants. These superscript digits are recognized by Windows as valid parts of device names according to the ISO/IEC 8859-1 standard. The vulnerability has been assigned a CVSS v4.0 base score of 2.3 (Low) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows untrusted filesystem paths to bypass the sandbox and gain access to peripheral devices connected to the computer or network resources mapped to those devices. This includes access to modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports (GitHub Advisory).

The vulnerability has been fixed in version 3.4.1 of cap-primitives, cap-std, and cap-async-std packages. There are no known workarounds for this issue, and affected Windows users are recommended to upgrade to the patched versions (GitHub Advisory).