RUSTSEC-2026-0179

A malicious, compromised, or man-in-the-middle server can supply an arbitrarily large SCRAM-SHA-256 PBKDF2 iteration count during authentication. The client runs it inline with no upper bound, pinning a tokio worker thread for minutes per connection, possibly stalling the whole async runtime.

Applications that connect only to a trusted database are not exposed; the risk applies to clients that may connect to untrusted or user-supplied servers, or whose connection can be intercepted by a man-in-the-middle.