GHSA-95hm-pr6q-298w: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-95hm-pr6q-298w) affects the fast-able Rust crate versions prior to 1.13.7. The issue involves an unsafe implementation of the get_unchecked method in the SyncVec struct, which was publicly accessible without proper bounds checking. The vulnerability was reported in April 2025 and officially published on September 15, 2025 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the SyncVec struct's public get_unchecked method implementation, which accepts an index parameter without performing sufficient boundary checks. This implementation directly uses the unsafe get_unchecked method from Rust's standard library without proper safety guarantees. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (High severity) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The issue is categorized as CWE-125 (Out-of-bounds Read) (GitHub Advisory).

The vulnerability can lead to a Denial of Service (DoS) attack through the insecure method implementation. The CVSS metrics indicate that while there is no impact on confidentiality and integrity, there is a high impact on availability of the vulnerable system. The attack can be executed remotely with low complexity and requires no special privileges or user interaction (GitHub Advisory).

The vulnerability has been patched in version 1.13.7 of the fast-able crate. Users should upgrade to this version or later to mitigate the security risk (RustSec Advisory).