GHSA-wwq9-3cpr-mm53: 
Rust vulnerability analysis and mitigation

A high severity vulnerability (GHSA-wwq9-3cpr-mm53) was discovered in the hashbrown Rust package, affecting version 0.15.0. The vulnerability relates to the borsh serialization of HashMap, which failed to follow the borsh specification by producing non-canonical encodings that were dependent on insertion order. The issue was discovered and reported on October 11, 2024, and was patched in version 0.15.1 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the HashMap's borsh serialization implementation that violated the borsh specification's consistency requirements. The implementation encoded data by iterating over the HashMap without maintaining a consistent (sorted) order. Additionally, the decode function did not perform any order checks on the keys. The implementation also incorrectly serialized the hasher (not defined in the borsh spec) and used a usize for length instead of the specified u32, producing non-compliant encodings (GitHub Issue).

This vulnerability could lead to consensus splits and cause equivalent objects to be considered distinct, particularly impacting security-critical projects that rely on borsh's consistency guarantees. The issue is especially concerning in cryptocurrency applications where canonical encodings are used to prevent 'double-spends' and consensus splits (GitHub Issue).

The vulnerability has been patched in hashbrown version 0.15.1. Users are advised to upgrade to this version or later. The borsh functionality has been removed from hashbrown, and users should instead rely on borsh's own implementation of HashMap/HashSet (GitHub Issue).