—

RUSTSEC-2025-0165

i_tree allowed out-of-bounds access through safe public node accessors

Details

Affected versions of `i_tree` exposed safe public `Tree::node` and `Tree::mut_node` methods in the public `tree` module. These methods accepted an arbitrary `u32` index and passed it directly to `Vec::get_unchecked` / `get_unchecked_mut` on the internal node buffer, without validating that the index was in bounds.

Because these methods were safe and public, a caller could pass an out-of-bounds index without writing any `unsafe` code, producing an out-of-bounds shared or mutable reference and triggering undefined behavior.

Starting with `0.10.0` the crate was restructured and these accessors are no longer reachable from outside the crate.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / i_tree

Introduced in: 0.0.0-0 Fixed in: 0.10.0

Upgrade i_tree to 0.10.0 or newer (ecosystem crates.io).

References

https://crates.io/crates/i_tree [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2025-0165.html [ADVISORY]
https://github.com/iShape-Rust/iTree/issues/1 [REPORT]
https://github.com/iShape-Rust/iTree/commit/a948b891cf159233bfed5b16bf185268fd9e1985 [WEB]
https://github.com/iShape-Rust/iTree/compare/0.9.0...0.10.0 [WEB]