GHSA-pfp7-vxgr-83pw: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-pfp7-vxgr-83pw) affects the toodee Rust crate, versions 0.2.0 through 0.5.0. It was discovered and reported on May 22, 2025, and officially published on September 8, 2025. The vulnerability is a heap buffer overflow condition in the DrainCol::drop destructor, which could cause unsafe memory operations (RustSec Advisory, GitHub Advisory).

The vulnerability stems from an off-by-one error in the DrainCol::drop destructor where the ptr::copy operation could exceed the bounds of the associated vector. The issue specifically occurs when removing the first column from a TooDee object, where the DrainCol return object triggers a heap buffer overflow during its destruction. The vulnerability has been assigned a CVSS v4 score of 8.8 (High), with attack vectors including Network accessibility, Low attack complexity, and No privileges required (GitHub Advisory).

The vulnerability can lead to heap buffer overflow conditions, potentially resulting in memory corruption and memory exposure. The CVSS metrics indicate High impact on confidentiality and availability of the vulnerable system, with Low subsequent system impacts across confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in version 0.6.0 of the toodee crate. The fix involves modifying the ptr::copy operation by reducing the copied size by one, as implemented in commit e6e16d5 (GitHub Commit).