GHSA-pfp7-vxgr-83pw: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-pfp7-vxgr-83pw) affects the toodee Rust crate versions 0.2.0 through 0.5.0. Discovered and reported on May 22, 2025, this heap buffer overflow vulnerability was found in the DrainCol::drop destructor. The issue was officially published to the GitHub Advisory Database on September 9, 2025, and received a high severity rating with a CVSS score of 8.8 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from an off-by-one error in the DrainCol::drop destructor where an unsafe memory copy operation could exceed the bounds of the associated vector. The issue specifically occurs when removing the first column from a TooDee object, where the DrainCol return object triggers a heap buffer overflow during the drop operation. The vulnerability is related to the size of the data being copied in one of the ptr::copy invocations inside the destructor (GitHub Issue).

The vulnerability allows unauthorized access beyond the allocated memory bounds, potentially leading to memory corruption and exposure. The CVSS metrics indicate high impacts on confidentiality and availability of the vulnerable system, with subsequent lower impacts on confidentiality, integrity, and availability of dependent systems (GitHub Advisory).

The vulnerability was fixed in version 0.6.0 of the toodee crate. The fix involves reducing the copied size by one in the ptr::copy invocation, as implemented in commit e6e16d5. Users are advised to upgrade to version 0.6.0 or later to address this vulnerability (GitHub Commit).