CVE-2023-22466

MEDIUM

Tokio <1.18.4, 1.20.3, 1.23.1 - Info Disclosure

Title source: llm

Description

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.

References (4)

Core 4

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7

Patch, Third Party Advisory x_refsource_misc

https://github.com/tokio-rs/tokio/pull/5336

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1

Technical Description, Third Party Advisory x_refsource_misc

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients

Scores

CVSS v3 5.4

EPSS 0.0056

EPSS Percentile 42.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-665

Status published

Products (2)

crates.io/tokio 1.7.0 - 1.18.4crates.io

tokio/tokio 1.7.0 - 1.18.4

Published Jan 04, 2023

Tracked Since Feb 18, 2026