GHSA-8655-xgh5-5vvq: 
Rust vulnerability analysis and mitigation

The fast-float Rust crate contains a segmentation fault vulnerability (GHSA-8655-xgh5-5vvq) due to lack of bound checking in the AsciiStr struct. The vulnerability affects versions <= 0.2.0 of the package and was discovered and reported on October 13, 2024, with the advisory being published on January 29, 2025. The issue specifically resides in the fast_float::common::AsciiStr::first method (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the first method within the AsciiStr struct using the unsafe keyword to read from memory without performing bounds checking. The method directly dereferences a pointer offset by self.ptr without validating the input buffer size. When an empty string is provided as input, the method attempts to access an invalid memory address, leading to undefined behavior and potential segmentation faults (GitHub Issue).

When exploited, this vulnerability can lead to invalid memory access and segmentation faults when processing empty buffers. The issue violates Rust's memory safety guarantees and can potentially cause program crashes or undefined behavior in applications using the affected versions of the fast-float crate (RustSec Advisory).

While no patched version has been released for the original fast-float crate, a patch is available in the fast-float2 fork. The recommended fix involves implementing proper input validation in the first method to safely handle empty structs, or changing the method to return an Option type and moving the empty check to ensure local safety invariants (GitHub Issue).