Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc
Patch x_refsource_misc
https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee
Various Sources x_refsource_misc
https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
Release Notes x_refsource_misc
https://github.com/time-rs/time/releases/tag/v0.3.47
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
3.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-121
Status
published
Products (2)
crates.io/time
0.3.6 - 0.3.47crates.io
time_project/time
0.3.6 - 0.3.47
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026