Vulnerability Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Time Project | Time | >= 0.3.6, < 0.3.47 |
Related Weaknesses (CWE)
References
- https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05Release Notes
- https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841eePatch
- https://github.com/time-rs/time/releases/tag/v0.3.47ProductRelease Notes
- https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xcVendor Advisory
FAQ
What is CVE-2026-25727?
CVE-2026-25727 is a vulnerability with a CVSS score of 6.5 (MEDIUM). time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack e...
How severe is CVE-2026-25727?
CVE-2026-25727 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25727?
Check the references section above for vendor advisories and patch information. Affected products include: Time Project Time.