Summary
crates/larql-python/Cargo.toml uses pyo3 = { version = "0.24", features = ["extension-module"] }, which resolves to pyo3 0.24.2. Two security advisories were disclosed against this version:
| Advisory |
Title |
Severity |
| RUSTSEC-2026-0176 |
Out-of-bounds read in nth/nth_back for PyList/PyTuple iterators |
High |
| RUSTSEC-2026-0177 |
Missing Sync bound on PyCFunction::new_closure closures |
High |
Affected APIs
- RUSTSEC-2026-0176:
PyList/PyTuple iterator nth and nth_back methods
- RUSTSEC-2026-0177:
PyCFunction::new_closure
Neither affected API is used by the code in crates/larql-python/src/ (the bindings use Bound<'py, ...>, #[pyfunction], #[pyclass]); exploitation risk against this codebase is therefore nil. Nonetheless, any cargo-audit or cargo-deny scan will fail until pyo3 is upgraded.
Fix
In crates/larql-python/Cargo.toml:
# before
pyo3 = { version = "0.24", features = ["extension-module"] }
# after
pyo3 = { version = "0.29", features = ["extension-module"] }
The codebase already uses the modern Bound<'py, ...> API (introduced pyo3 0.21), so the migration surface is small. Migration guide: https://pyo3.rs/v0.29.0/migration
Run cargo update -p pyo3 after bumping the version requirement.
Summary
crates/larql-python/Cargo.tomlusespyo3 = { version = "0.24", features = ["extension-module"] }, which resolves to pyo3 0.24.2. Two security advisories were disclosed against this version:nth/nth_backforPyList/PyTupleiteratorsSyncbound onPyCFunction::new_closureclosuresAffected APIs
PyList/PyTupleiteratornthandnth_backmethodsPyCFunction::new_closureNeither affected API is used by the code in
crates/larql-python/src/(the bindings useBound<'py, ...>,#[pyfunction],#[pyclass]); exploitation risk against this codebase is therefore nil. Nonetheless, any cargo-audit or cargo-deny scan will fail until pyo3 is upgraded.Fix
In
crates/larql-python/Cargo.toml:The codebase already uses the modern
Bound<'py, ...>API (introduced pyo3 0.21), so the migration surface is small. Migration guide: https://pyo3.rs/v0.29.0/migrationRun
cargo update -p pyo3after bumping the version requirement.