RUSTSEC-2025-0023: 
Rust vulnerability analysis and mitigation

RUSTSEC-2025-0023 is a soundness vulnerability discovered in the Tokio broadcast channel implementation. The issue stems from the broadcast channel's ability to accept values that are Send but not Sync, while internally calling the clone() method on these values without proper synchronization. The vulnerability was reported by Austin Bonander and has been fixed in versions 1.44.2, with backports to 1.38.2, 1.42.1, and 1.43.1 (Tokio PR).

The vulnerability occurs because the broadcast channel does not require values to implement Sync, yet it calls the .clone() method without synchronization. This creates unsound behavior when handling types that are Send but not Sync. The fix involves implementing per-value synchronization on receive operations to handle this case properly. The issue specifically affects the broadcast channel implementation in the tokio/sync module (Tokio PR).

While the vulnerability represents a soundness hole in Rust's type system guarantees, the practical impact is considered limited. The issue only manifests when accessing a !Sync type during .clone() operations, which is described as very unusual in typical broadcast channel usage patterns (Tokio PR).

Users are advised to upgrade to Tokio version 1.44.2 or use the backported fixes in versions 1.38.2, 1.42.1, or 1.43.1. The fix implements proper synchronization for clone operations in the broadcast channel (Tokio PR).