GHSA-8mj7-wxmc-f424: 
Rust vulnerability analysis and mitigation

A high-severity use-after-free vulnerability was discovered in Neon, a library for creating JavaScript ArrayBuffer instances backed by bytes allocated outside of V8/Node. The vulnerability affects versions 0.8.0 through 0.10.1 of the Neon package, specifically in the JsArrayBuffer::external and JsBuffer::external functionality. The issue was discovered on May 22, 2022, and was patched in version 0.10.1 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the JsArrayBuffer::external and JsBuffer::external functions not requiring T: 'static prior to Neon 0.10.1. This oversight allowed the creation of externally backed buffers from types that could be freed while still being referenced by a JavaScript ArrayBuffer. The issue manifests when creating an external buffer from &mut [u8] instead of Vec, exploiting a blanket implementation of AsMut for &mut T, potentially leading to use-after-free conditions (GitHub Advisory, Neon Issue).

The vulnerability could lead to memory corruption and memory exposure when exploited. When the affected functions are used, it's possible to create situations where JavaScript code continues to reference memory that has been freed in Rust, potentially leading to undefined behavior and security risks (RustSec Advisory).

The vulnerability has been fixed in Neon version 0.10.1. Users should upgrade to this version or later to receive the patch. The fix implements proper lifetime requirements for the affected functions, preventing the creation of externally backed buffers from types that could be prematurely freed (GitHub Advisory).