GHSA-x77x-7mmh-cxv3: 
Rust vulnerability analysis and mitigation

The ncurses Rust library (ncurses-rs) contains a critical memory safety vulnerability identified as GHSA-x77x-7mmh-cxv3. The vulnerability affects multiple string reading functions that improperly expose uninitialized memory by setting length to capacity when no null terminator is found. This issue affects all versions up to and including 6.0.1. The vulnerability was reported on October 21, 2025, and published to the GitHub Advisory Database on October 22, 2025 (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Moderate severity) with base metrics of AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P. The issue affects 11 functions in the library that follow a flawed implementation pattern when handling string reads. These functions improperly use Vec::setlen() and String::setlen() when handling string reads, setting the Vec/String length to capacity instead of the actual data read length. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (GitHub Advisory, RustSec Advisory).

The vulnerability allows reading uninitialized memory which may contain sensitive data from previous allocations. This can lead to information disclosure and potential exposure of sensitive information that was previously stored in memory (GitHub Advisory).

There are currently no patched versions available as the ncurses-rs repository is archived and unmaintained. Users are advised to consider alternative libraries for ncurses functionality in Rust (RustSec Advisory).

The project maintainers have archived the repository, as announced on Reddit. The security community, including Rust security experts, has confirmed the severity of the issue, noting that ncurses-rs is "about as unsafe as Rust can get" due to being a thin wrapper around an unsafe C API (RustSec PR).