—

RUSTSEC-2025-0020

Risk of buffer overflow in `PyString::from_object`

Details

`PyString::from_object` took `&str` arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the `&str` data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a `CString` to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes `&CStr` arguments.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / pyo3

Introduced in: 0.0.0-0 Fixed in: 0.24.1

Upgrade pyo3 to 0.24.1 or newer (ecosystem crates.io).

References

https://crates.io/crates/pyo3 [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2025-0020.html [ADVISORY]
https://github.com/PyO3/pyo3/issues/5005 [REPORT]