GHSA-c2hm-mjxv-89r4: 
Rust vulnerability analysis and mitigation

The lexical crate, a Rust library for numeric string conversions, contains multiple soundness issues that affect versions 6.1.1 and earlier. The vulnerability was reported on September 3, 2023, and was assigned the identifier GHSA-c2hm-mjxv-89r4. The affected package provides fast numeric to- and from-string conversion routines for use in both std and no_std environments (GitHub Advisory, RustSec Advisory).

The vulnerability encompasses several critical soundness issues in the codebase: Bytes::read() allows creating instances of types with invalid bit patterns, BytesIter::read() advances iterators out of bounds, the BytesIter trait has safety invariants but is public and not marked unsafe, and both writefloat() and radix() functions call MaybeUninit::assumeinit() on uninitialized data, which violates the Rust abstract machine's requirements (GitHub Advisory).

The issues affect the core functionality of the library, potentially leading to memory safety violations and undefined behavior in applications using the affected versions. The severity is classified as Low, though the soundness issues could have significant implications for applications relying on this library for numeric conversions (GitHub Advisory).

The issues have been patched in version 7.0.0 of the lexical crate. Users are advised to upgrade to this version or consider alternative solutions. For floating-point parsing, the fast float parsing algorithm has been merged into libcore. For integer parsing, alternatives include atoi and btoi crates (100% safe code) or atoiradix10. For integer formatting in nostd contexts, the numtoa crate is recommended. For big number operations, num-bigint and num-traits are suggested alternatives (GitHub Advisory, RustSec Advisory).