Skip to content

fix: update time from 0.3.44 to 0.3.47 (RUSTSEC-2026-0009)#5104

Closed
Copilot wants to merge 2 commits intodevelopfrom
copilot/fix-stack-exhaustion-issue
Closed

fix: update time from 0.3.44 to 0.3.47 (RUSTSEC-2026-0009)#5104
Copilot wants to merge 2 commits intodevelopfrom
copilot/fix-stack-exhaustion-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 7, 2026
edited
Loading

What problem does this PR solve?

Problem Summary:

Addresses RUSTSEC-2026-0009: DoS vulnerability via stack exhaustion in time crate when parsing RFC 2822 formatted input. Versions <0.3.47 have unbounded recursion in deprecated RFC 2822 features, allowing malicious input to exhaust stack.

What is changed and how it works?

What's Changed:

  • Updated workspace dependency time from 0.3.360.3.47
  • Updated Cargo.lock with patched versions of time, time-core, time-macros, and num-conv

Version 0.3.47 adds recursion depth limits, returning errors instead of stack exhaustion. No breaking changes - the codebase only uses basic datetime operations (OffsetDateTime::now_utc(), formatting), not RFC 2822 parsing.

Related changes

  • N/A

Check List

Tests

  • No code

Side effects

  • N/A
Original prompt

This section details on the original issue you should resolve

<issue_title>RUSTSEC-2026-0009: Denial of Service via Stack Exhaustion</issue_title>
<issue_description>

Denial of Service via Stack Exhaustion

Details
Package time
Version 0.3.44
URL https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
Date 2026-02-05
Patched versions >=0.3.47
Unaffected versions <0.3.6

Impact

When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
service attack via stack exhaustion is possible. The attack relies on formally deprecated and
rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
non-malicious input will never encounter this scenario.

Patches

A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
rather than exhausting the stack.

Workarounds

Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
the stack consumed would be at most a factor of the length of the input.

See advisory page for additional details.
</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@eval-exec
Update time crate from 0.3.36 to 0.3.47 to fix RUSTSEC-2026-0009
ce7475a 
Co-authored-by: eval-exec <46400566+eval-exec@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix denial of service via stack exhaustion in time package fix: update time from 0.3.44 to 0.3.47 (RUSTSEC-2026-0009) Feb 7, 2026
Copilot AI requested a review from eval-exec February 7, 2026 01:01
@driftluo
Copy link
Copy Markdown
Contributor

driftluo commented Feb 9, 2026

close by #5105

@driftluo driftluo closed this Feb 9, 2026
@driftluo driftluo deleted the copilot/fix-stack-exhaustion-issue branch February 9, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eval-exec eval-exec Awaiting requested review from eval-exec

Assignees

@eval-exec eval-exec

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RUSTSEC-2026-0009: Denial of Service via Stack Exhaustion

3 participants

@driftluo @eval-exec