CVE-2026-25727 Overview
CVE-2026-25727 is a Denial of Service vulnerability in the time crate, a popular Rust library for date and time handling. The vulnerability affects versions 0.3.6 through 0.3.46 and allows attackers to cause stack exhaustion when parsing maliciously crafted input using the RFC 2822 format. This attack leverages formally deprecated and rarely-used features within the RFC 2822 specification, exploiting recursive parsing behavior without proper depth limits.
Critical Impact
Applications parsing untrusted user input with the RFC 2822 date format are vulnerable to denial of service attacks through stack exhaustion, potentially causing service interruptions.
Affected Products
- time Rust crate versions 0.3.6 to 0.3.46
- Applications using time crate with RFC 2822 parsing functionality
- Rust projects dependent on vulnerable time crate versions
Discovery Timeline
- 2026-02-05 - time crate maintainers release security patch v0.3.47
- 2026-02-06 - CVE CVE-2026-25727 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2026-25727
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), though the specific mechanism involves recursive stack exhaustion during RFC 2822 date parsing. The time crate's RFC 2822 parser processes certain deprecated format features through recursive function calls. When an attacker supplies specially crafted input containing deeply nested or repeated structures that trigger unbounded recursion, the parsing logic consumes stack space until exhaustion occurs, resulting in a process crash.
The attack requires network access and some user interaction, targeting applications that accept and parse user-provided date strings in RFC 2822 format. While ordinary, non-malicious input will never trigger this condition, deliberately malformed input can exploit the parser's handling of obscure RFC 2822 features to achieve denial of service.
Root Cause
The root cause lies in the RFC 2822 parsing implementation within time/src/parsing/combinator/rfc/rfc2822.rs, which lacked recursion depth limits when processing certain folded whitespace (FWS) and comment structures defined in the RFC 2822 specification. These deprecated features, while rarely used in legitimate scenarios, could be abused to create input that triggers excessive recursive calls.
Attack Vector
An attacker can exploit this vulnerability by providing maliciously crafted date strings to any application endpoint that parses user input using the time crate's RFC 2822 format parser. The attack is network-based, requiring the attacker to send specially constructed payloads that exploit the recursive parsing behavior. Successful exploitation results in stack exhaustion and application crash, causing denial of service.
// Security patch adding recursion depth limit
// Source: https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee
use crate::parsing::combinator::rfc::rfc2234::wsp;
use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more};
+const DEPTH_LIMIT: u8 = 32;
+
/// Consume the `fws` rule.
// The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/
#[inline]
Source: GitHub Commit Details
Detection Methods for CVE-2026-25727
Indicators of Compromise
- Unexpected application crashes with stack overflow errors during date parsing operations
- High memory consumption or stack exhaustion events in applications using the time crate
- Error logs indicating parsing failures with unusually large or nested RFC 2822 date strings
Detection Strategies
- Monitor for stack overflow exceptions in Rust applications that parse external date inputs
- Implement dependency scanning to identify vulnerable time crate versions (0.3.6 - 0.3.46)
- Use Software Composition Analysis (SCA) tools to track vulnerable library versions in your codebase
Monitoring Recommendations
- Set up alerting for repeated application crashes or restarts that may indicate DoS attempts
- Log and analyze incoming date string inputs for anomalous length or structure
- Monitor resource utilization metrics for signs of stack exhaustion attacks
How to Mitigate CVE-2026-25727
Immediate Actions Required
- Upgrade the time crate to version 0.3.47 or later immediately
- Audit applications for any endpoints that accept and parse user-provided RFC 2822 date strings
- Implement input validation to reject excessively long or malformed date strings before parsing
Patch Information
The vulnerability was addressed in time crate version 0.3.47, released on 2026-02-05. The fix introduces a recursion depth limit of 32 (DEPTH_LIMIT: u8 = 32) in the RFC 2822 parser. When this limit is exceeded, the parser now returns an error rather than continuing to recurse until stack exhaustion. Organizations should update their Cargo.toml dependencies and rebuild affected applications. For detailed patch information, see the GitHub Security Advisory and the GitHub Release v0.3.47.
Workarounds
- Implement input length limits on date strings before passing them to the RFC 2822 parser
- Use alternative date parsing formats (such as ISO 8601) that do not exhibit this vulnerability
- Deploy rate limiting on endpoints that process date strings to mitigate DoS impact
# Update time crate in Cargo.toml
# Change dependency version to patched release
sed -i 's/time = "0\.3\.[0-9]*"/time = "0.3.47"/' Cargo.toml
cargo update -p time
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
