Skip to content

Add advisory for quick-xml: quadratic attribute duplicate-check (CPU DoS)#3020

Merged
djc merged 1 commit into
rustsec:mainfrom
qifan-sailboat:add-quick-xml-969-attributes-quadratic
Jul 2, 2026
Merged

Add advisory for quick-xml: quadratic attribute duplicate-check (CPU DoS)#3020
djc merged 1 commit into
rustsec:mainfrom
qifan-sailboat:add-quick-xml-969-attributes-quadratic

Conversation

@qifan-sailboat

Copy link
Copy Markdown

This adds a RustSec advisory for quick-xml#969.

  • Crate: quick-xml
  • Affected: < 0.41.0
  • Patched: 0.41.0 (released 2026-06-29)
  • Category: denial-of-service (CPU exhaustion / algorithmic complexity)

The default with_checks(true) attribute iterator — BytesStart::attributes() / try_get_attribute, also reached internally by NsReader — checked each attribute name against every previously seen name with a linear scan, so a single start tag with N distinct attribute names cost O(N²) byte comparisons (measured, release: 80k ≈ 6 s, 800k ≈ 10 min). On untrusted XML this is a CPU-exhaustion denial of service; because the check is pure computation with no I/O, a consumer's read/request timeout cannot interrupt it. Fixed in 0.41.0 (tafia/quick-xml#971).

Reported by me; the quick-xml maintainer asked that I file the RustSec advisory. The ID is left as the RUSTSEC-0000-0000 placeholder for assignment.

🤖 Generated with Claude Code

…DoS)

quick-xml < 0.41.0: the default duplicate-attribute-name check in the `Attributes` iterator scanned all previously seen names for every attribute, so a start tag with N distinct names cost O(N^2) byte comparisons -- a remote, unauthenticated CPU-exhaustion DoS on untrusted XML. Fixed in 0.41.0 (tafia/quick-xml#971).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@djc djc merged commit b20b0b5 into rustsec:main Jul 2, 2026
1 check passed
@djc

djc commented Jul 2, 2026

Copy link
Copy Markdown
Member

Thanks!

@qifan-sailboat qifan-sailboat deleted the add-quick-xml-969-attributes-quadratic branch July 2, 2026 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants