GHSA-3hxh-7jxm-59x4: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-3hxh-7jxm-59x4) affects the metrics-util Rust crate, where AtomicBucket incorrectly implements Send/Sync traits unconditionally. This security issue was discovered on April 7, 2021, and was officially published to the GitHub Advisory Database on June 17, 2022. The vulnerability affects versions prior to 0.7.0 of the metrics-util package (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the AtomicBucket struct unconditionally implementing Send/Sync traits through its contained Block data type. This implementation allows users to create data races to the inner T: !Sync by utilizing the AtomicBucket::data_with() API. The issue was identified in the struct Block implementation, which unconditionally implemented Send and Sync traits without appropriate bounds (GitHub Issue).

The vulnerability can lead to memory corruption or other undefined behavior due to potential data races. When exploited, it allows users to create concurrent access to &T from multiple threads for types that are not thread-safe (!Sync), and enables sending non-sendable types (!Send) to other threads (RustSec Advisory).

The vulnerability was fixed in version 0.7.0 of the metrics-util crate. The fix was implemented in commit 8e6daab by adding appropriate Send/Sync bounds to the Send/Sync implementation of struct Block contained inside AtomicBucket (RustSec Advisory).