houseme

2 exploits Active since Jan 2026

CVE-2026-22782 WRITEUP HIGH WRITEUP

RustFS 1.0.0-alpha.1-1.0.0-alpha.79 - Sensitive Information Exposure via Invalid RPC Signature Logging

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

CVSS 7.5

View Code

CVE-2025-69255 WRITEUP MEDIUM WRITEUP

RustFS 1.0.0-alpha.13-1.0.0-alpha.77 - Denial of Service via Malformed gRPC GetMetrics Request

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.

CVSS 4.0

View Code