Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/sha3@1.0.5
purl pkg:gem/sha3@1.0.5
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-ewbq-2gm8-tyf5 Buffer overflow in sponge queue functions ### Impact The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. ### Patches Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a). ### Workarounds The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether. ### References See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details. CVE-2022-37454
GHSA-6w4m-2xhg-2658

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-03T21:28:08.923242+00:00 GitLab Importer Fixing VCID-ewbq-2gm8-tyf5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/sha3/CVE-2022-37454.yml 38.1.0
2026-04-02T16:59:25.876344+00:00 GHSA Importer Fixing VCID-ewbq-2gm8-tyf5 https://github.com/advisories/GHSA-6w4m-2xhg-2658 38.1.0
2026-04-01T12:57:29.906540+00:00 GithubOSV Importer Fixing VCID-ewbq-2gm8-tyf5 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-6w4m-2xhg-2658/GHSA-6w4m-2xhg-2658.json 38.0.0