{"id":"RUSTSEC-2024-0402","summary":"Borsh serialization of HashMap is non-canonical","details":"The borsh serialization of the HashMap did not follow the borsh specification.\nIt potentially produced non-canonical encodings dependent on insertion order.\nIt also did not perform canonicty checks on decoding.\n\nThis can result in consensus splits and cause equivalent objects to be\nconsidered distinct.\n\nThis was patched in 0.15.1.","aliases":["GHSA-wwq9-3cpr-mm53"],"modified":"2025-10-28T06:29:53.834037Z","published":"2024-10-11T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hashbrown"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0402.html"},{"type":"REPORT","url":"https://github.com/rust-lang/hashbrown/issues/576"}],"affected":[{"package":{"name":"hashbrown","ecosystem":"crates.io","purl":"pkg:cargo/hashbrown"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.15.0"},{"fixed":"0.15.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":["hashbrown::HashMap::borsh_serialize"]},"affected_functions":null},"database_specific":{"categories":[],"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0402.json","informational":null}}],"schema_version":"1.7.3"}