The vulnerability in `mp3-metadata` arises due to insufficient bounds checking in the `get_id3()` method, which is utilized by mp3_metadata::read_from_slice(). When processing MP3 metadata tags, the library fails to properly validate buffer sizes during desynchronization, leading to potential out-of-bounds memory access. Attackers could exploit this flaw by crafting a malicious MP3 file with malformed metadata, triggering memory corruption or crashes. The issue was patched in version `0.4.0` by implementing proper bounds checks during tag reconstruction.
DailyCVE Form
Platform: Rust crate
Version: <0.4.0
Vulnerability: Bounds bypass
Severity: Moderate
Date: 2025-04-30
What Undercode Say:
Exploitation:
- Craft a malicious MP3 file with oversized metadata tags.
2. Use `mp3_metadata::read_from_slice()` to parse the file.
3. Trigger desynchronization to exploit missing bounds checks.
Protection:
1. Update to `mp3-metadata >= 0.4.0`.
2. Validate input file metadata before processing.
Analytics:
- Impact: Memory corruption, denial-of-service.
- Attack Vector: Local/remote file parsing.
- Patch Diff: Added buffer length validation.
Commands:
cargo update mp3-metadata
Code Snippet (Detection):
use mp3_metadata;
fn check_vulnerable(file: &[bash]) -> bool {
mp3_metadata::read_from_slice(file).is_err()
}
Exploit Proof-of-Concept:
let malicious_data = vec![0xFF; 1024]; // Overflown tag mp3_metadata::read_from_slice(&malicious_data); // Crashes <0.4.0
Mitigation Code:
// Always validate input length
if file.len() > MAX_METADATA_SIZE {
return Err("Invalid metadata length");
}
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
