Source linked

Three DoS Vulnerabilities Patched in Rust PostgreSQL Driver

github.com@threat_watch3 hours ago·Cybersecurity·0 comments

A malicious PostgreSQL server can crash or pin a tokio worker thread to 100% CPU; fixes released in postgres-protocol 0.6.12 and tokio-postgres 0.7.18

rust postgrespostgres protocoltokio postgresdenial of servicerustsecpostgresql

A malicious or compromised PostgreSQL server can pin a tokio worker thread to 100% CPU indefinitely by sending an unbounded SCRAM PBKDF2 iteration count — and that's just one of three newly fixed DoS holes in the Rust postgres driver stack.

CPU Exhaustion via Unbounded PBKDF2 Iterations

postgres-protocol implements SCRAM-SHA-256 authentication, which includes a PBKDF2 derivation with an iteration count sent by the server. Prior to version 0.6.12, the code accepted any iteration count without a cap. An attacker controlling the server, or a MITM who can intercept and modify the server's SCRAM message, can set an astronomical iteration count. The client then spends seconds or minutes computing the derived key, blocking the single tokio worker thread that handles authentication. No other connections on that worker make progress. This is textbook CPU-exhaustion DoS.

Panic on Malformed Hstore Values

The same postgres-protocol crate, up to 0.6.12, panics when decoding a malformed hstore value. Hstore is a key-value text storage type; a crafted binary representation with inconsistent lengths triggers an unwrap or index panic inside decode. Any client that processes an incoming hstore value from a hostile server or a stored malicious row crashes. No graceful error — the application terminates.

Panic on Unexpected DataRow Layout

tokio-postgres version 0.7.18 fixes a panic that occurs when a DataRow message contains fewer field values than the number of columns in the prepared statement. The protocol expects the row to match the column count, but a malicious server can send a truncated row. The client's row processing code accesses out-of-bounds indices, causing a panic in the async stream. Again, a full disconnect rather than a recoverable error.

All three advisories were committed to the RustSec advisory-db on June 12, 2026. The fixes are in postgres-protocol 0.6.12 and tokio-postgres 0.7.18. Any Rust application that uses these libraries and accepts connections from untrusted PostgreSQL servers — think cloud services, multi-tenant databases, or any setup where the client connects to a database you don't fully control — should update immediately. The attack surface is real: if an attacker can compromise the database server or intercept the TLS connection, they can crash your Rust process or degrade your service.

Source: Add advisories for rust-postgres DoS issues (postgres-protocol, tokio...
Domain: github.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Google Sues AI-Powered Scam Ring That Hit 2.5M Android Users in Two Weeks

The lawsuit targets Outsider Enterprise, which used AI to send 2.5 million scam texts in just two weeks, with 1 million fraudulent domains and losses in the millions.

Polynomial Trick Factors 603 RSA Keys with Biased Zero Bits

A polynomial-based cryptanalytic technique factored hundreds of real-world RSA keys whose prime factors had regularly spaced blocks of zero bits, traced to a type mismatch in CompleteFTP's big-integer code.

Pramatra Space Validates Photonics Chip for Satellite Quantum Key Distribution

A Bengaluru startup has built an in-house photonics chip that generates encryption keys via quantum entanglement, targeting a 2027 in-orbit demo and a commercial satellite grid by 2028.

ShinyHunters' Oracle PeopleSoft Zero-Day Hit 68% Higher Ed Targets

Google Mandiant detected a two-week extortion campaign exploiting an unpatched PeopleSoft flaw; 100+ organizations notified, with two-thirds in higher education.

Comments load interactively on the live page.