Security Advisory for Rustdoc

We have a security advisory for rustdoc today. Please read and share widely:


The plugin infrastructure predates 1.0 and is not usable on stable or nightly Rust today. Its removal should not impact any Rust users.

Best kind of security bug :slightly_smiling_face:

Also, kudos for the nicely-phrased “no, Rust doesn’t prevent all bugs” paragraph :+1:


Love the way this disclosure is being handled. Kudos to everyone involved.


Excellent handling! Good that you use this low-risk incident as a “dress rehearsal”!

… Rust’s first official CVE, this is somewhat of a milestone for us …

I say we print an award certficate, proudly displaying the CVE-number, on heavy cardstock and post it to the RedHat reporter: “I discovered Rust’s first official CVE”
(After all, aren’t all milestones worth celebrating? :tada: :cake: :confetti_ball: :stuck_out_tongue: )

(btw: This seems like a really good week for Rust, security-wise; first we get the report that the Actix-web-apocalypse has cleaned up practically all their unsafes, and now our first CVE is handled with such finesse; that’s quite an examplary performance of the Rust Community!)