Update Rust crate pyo3 to 0.24.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
pyo3	dependencies	minor	0.20.3 → 0.24.0

---

PyO3 Risk of buffer overflow in PyString::from_object

GHSA-pph8-gcv7-4qj5

More information

Details

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Severity

• CVSS Score: 2.9 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://github.com/PyO3/pyo3/issues/5005
• https://github.com/PyO3/pyo3/pull/5008
• https://rustsec.org/advisories/RUSTSEC-2025-0020.html
• https://github.com/advisories/GHSA-pph8-gcv7-4qj5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

Added

• Add abi3-py313 feature. #​4969
• Add PyAnyMethods::getattr_opt. #​4978
• Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #​4984
• Add pyo3::sync::with_critical_section2. #​4992
• Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #​5013

Fixed

• Fix is_type_of for native types not using same specialized check as is_type_of_bound. #​4981
• Fix Probe class naming issue with #[pymethods]. #​4988
• Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #​5002
• Fix PyString::from_object causing of bounds reads with encoding and errors parameters which are not nul-terminated. #​5008
• Fix compile error when additional options follow after crate for #[pyfunction]. #​5015

v0.24.0

Compare Source

Packaging

• Add supported CPython/PyPy versions to cargo package metadata. #​4756
• Bump target-lexicon dependency to 0.13. #​4822
• Add optional jiff dependency to add conversions for jiff datetime types. #​4823
• Add optional uuid dependency to add conversions for uuid::Uuid. #​4864
• Bump minimum supported inventory version to 0.3.5. #​4954

Added

• Add PyIterator::send method to allow sending values into a python generator. #​4746
• Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
• Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
• Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
• Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
• Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
• Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
• Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
• Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
• Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
• Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941

Changed

• Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
• Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
• Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
• PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
• Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
• #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
• Format Python traceback in impl Debug for PyErr. #​4900
• Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
• Relax parsing of exotic Python versions. #​4949
• PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874

Removed

• Remove implementations of Deref for PyAny and other "native" types. #​4593
• Remove implicit default of trailing optional arguments (see #​2935) #​4729
• Remove the deprecated implicit eq fallback for simple enums. #​4730

Fixed

• Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
• Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

v0.23.5

Compare Source

Packaging

• Add support for PyPy3.11 #​4760

Fixed

• Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #​4902
• Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #​4921

v0.23.4

Compare Source

Added

• Add PyList::locked_for_each, which uses a critical section to lock the list on the free-threaded build. #​4789
• Add pyo3_build_config::add_python_framework_link_args build script API to set rpath when using macOS system Python. #​4833

Changed

• Use datetime.fold to distinguish ambiguous datetimes when converting to and from chrono::DateTime<Tz> (rather than erroring). #​4791
• Optimize PyList iteration on the free-threaded build. #​4789

Fixed

• Fix unnecessary internal py.allow_threads GIL-switch when attempting to access contents of a PyErr which originated from Python (could lead to unintended deadlocks). #​4766
• Fix thread-unsafe access of dict internals in BoundDictIterator on the free-threaded build. #​4788

• Fix unnecessary critical sections in BoundDictIterator on the free-threaded build. #​4788

• Fix time-of-check to time-of-use issues with list iteration on the free-threaded build. #​4789
• Fix chrono::DateTime<Tz> to-Python conversion when Tz is chrono_tz::Tz. #​4790
• Fix #[pyclass] not being able to be named Probe. #​4794
• Fix not treating cross-compilation from x64 to aarch64 on Windows as a cross-compile. #​4800
• Fix missing struct fields on GraalPy when subclassing builtin classes. #​4802
• Fix generating import lib for PyPy when abi3 feature is enabled. #​4806
• Fix generating import lib for python3.13t when abi3 feature is enabled. #​4808
• Fix compile failure for raw identifiers like r#box in derive(FromPyObject). #​4814
• Fix compile failure for #[pyclass] enum variants with more than 12 fields. #​4832

v0.23.3

Compare Source

Packaging

• Bump optional python3-dll-a dependency to 0.2.11. #​4749

Fixed

• Fix unresolved symbol link failures on Windows when compiling for Python 3.13t with abi3 features enabled. #​4733
• Fix unresolved symbol link failures on Windows when compiling for Python 3.13t using the generate-import-lib feature. #​4749
• Fix compile-time regression in PyO3 0.23.0 where changing PYO3_CONFIG_FILE would not reconfigure PyO3 for the new interpreter. #​4758

v0.23.2

Compare Source

Added

• Add IntoPyObjectExt trait. #​4708

Fixed

• Fix compile failures when building for free-threaded Python when the abi3 or abi3-pyxx features are enabled. #​4719
• Fix ambiguous_associated_items lint error in #[pyclass] and #[derive(IntoPyObject)] macros. #​4725

v0.23.1

Compare Source

Re-release of 0.23.0 with fixes to docs.rs build.

v0.23.0

Compare Source

Packaging

• Add support for PyPy3.11 #​4760

Fixed

• Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #​4902
• Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #​4921

v0.22.6: PyO3 0.22.6

Compare Source

This release corrects the check for free-threaded Python introduced in PyO3 0.22.2 to prevent users accidentally installing PyO3 packages on Python 3.13t; PyO3 0.22 does not support free-threaded Python. (Stay tuned for the 0.23 release coming very soon!)

Thanks @​minrk for the report and @​davidhewitt for the fix!

v0.22.5

Compare Source

Fixed

• Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #​4619

v0.22.4

Compare Source

Fixed

• Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #​4619

v0.22.3

Compare Source

Added

• Add FFI definition PyWeakref_GetRef and compat::PyWeakref_GetRef. #​4528

Changed

• Deprecate _borrowed methods on PyWeakRef and PyWeakrefProxy (just use the owning forms). #​4590

Fixed

• Revert removal of private FFI function _PyLong_NumBits on Python 3.13 and later. #​4450
• Fix __traverse__ functions for base classes not being called by subclasses created with #[pyclass(extends = ...)]. #​4563
• Fix regression in 0.22.3 failing compiles under #![forbid(unsafe_code)]. #​4574
• Fix create_exception macro triggering lint and compile errors due to interaction with gil-refs feature. #​4589
• Workaround possible use-after-free in _borrowed methods on PyWeakRef and PyWeakrefProxy by leaking their contents. #​4590
• Fix crash calling PyType_GetSlot on static types before Python 3.10. #​4599

v0.22.2

Compare Source

Packaging

• Require opt-in to freethreaded Python using the UNSAFE_PYO3_BUILD_FREE_THREADED=1 environment variable (it is not yet supported by PyO3). #​4327

Changed

• Use FFI function calls for reference counting on all abi3 versions. #​4324
• #[pymodule(...)] now directly accepts all relevant #[pyo3(...)] options. #​4330

Fixed

• Fix compile failure in declarative #[pymodule] under presence of #![no_implicit_prelude]. #​4328
• Fix compile failure due to c-string literals on Rust < 1.79. #​4353

v0.22.1

Compare Source

Added

• Add #[pyo3(submodule)] option for declarative #[pymodule]s. #​4301
• Implement PartialEq<bool> for Bound<'py, PyBool>. #​4305

Fixed

• Return NotImplemented instead of raising TypeError from generated equality method when comparing different types. #​4287
• Handle full-path #[pyo3::prelude::pymodule] and similar for #[pyclass] and #[pyfunction] in declarative modules. #​4288
• Fix 128-bit int regression on big-endian platforms with Python <3.13. #​4291
• Stop generating code that will never be covered with declarative modules. #​4297
• Fix invalid deprecation warning for trailing optional on #[setter] function. #​4304

v0.22.0

Compare Source

Packaging

• Update heck dependency to 0.5. #​3966
• Extend range of supported versions of chrono-tz optional dependency to include version 0.10. #​4061
• Update MSRV to 1.63. #​4129
• Add optional num-rational feature to add conversions with Python's fractions.Fraction. #​4148
• Support Python 3.13. #​4184

Added

• Add PyWeakref, PyWeakrefReference and PyWeakrefProxy. #​3835
• Support #[pyclass] on enums that have tuple variants. #​4072
• Add support for scientific notation in Decimal conversion. #​4079
• Add pyo3_disable_reference_pool conditional compilation flag to avoid the overhead of the global reference pool at the cost of known limitations as explained in the performance section of the guide. #​4095
• Add #[pyo3(constructor = (...))] to customize the generated constructors for complex enum variants. #​4158
• Add PyType::module, which always matches Python __module__. #​4196
• Add PyType::fully_qualified_name which matches the "fully qualified name" defined in PEP 737. #​4196
• Add PyTypeMethods::mro and PyTypeMethods::bases. #​4197
• Add #[pyclass(ord)] to implement ordering based on PartialOrd. #​4202
• Implement ToPyObject and IntoPy<PyObject> for PyBackedStr and PyBackedBytes. #​4205
• Add #[pyclass(hash)] option to implement __hash__ in terms of the Hash implementation #​4206
• Add #[pyclass(eq)] option to generate __eq__ based on PartialEq, and #[pyclass(eq_int)] for simple enums to implement equality based on their discriminants. #​4210
• Implement From<Bound<'py, T>> for PyClassInitializer<T>. #​4214
• Add as_super methods to PyRef and PyRefMut for accessing the base class by reference. #​4219
• Implement PartialEq<str> for Bound<'py, PyString>. #​4245
• Implement PyModuleMethods::filename on PyPy. #​4249
• Implement PartialEq<[u8]> for Bound<'py, PyBytes>. #​4250
• Add pyo3_ffi::c_str macro to create &'static CStr on Rust versions which don't have 1.77's c"" literals. #​4255
• Support bool conversion with numpy 2.0's numpy.bool type #​4258
• Add PyAnyMethods::{bitnot, matmul, floor_div, rem, divmod}. #​4264

Changed

• Change the type of PySliceIndices::slicelength and the length parameter of PySlice::indices(). #​3761
• Deprecate implicit default for trailing optional arguments #​4078
• Cloneing pointers into the Python heap has been moved behind the py-clone feature, as it must panic without the GIL being held as a soundness fix. #​4095
• Add #[track_caller] to all Py<T>, Bound<'py, T> and Borrowed<'a, 'py, T> methods which can panic. #​4098
• Change PyAnyMethods::dir to be fallible and return PyResult<Bound<'py, PyList>> (and similar for PyAny::dir). #​4100
• The global reference pool (to track pending reference count decrements) is now initialized lazily to avoid the overhead of taking a mutex upon function entry when the functionality is not actually used. #​4178
• Emit error messages when using weakref or dict when compiling for abi3 for Python older than 3.9. #​4194
• Change PyType::name to always match Python __name__. #​4196
• Remove CPython internal ffi call for complex number including: add, sub, mul, div, neg, abs, pow. Added PyAnyMethods::{abs, pos, neg} #​4201
• Deprecate implicit integer comparison for simple enums in favor of #[pyclass(eq_int)]. #​4210
• Set the module= attribute of declarative modules' child #[pymodule]s and #[pyclass]es. #​4213
• Set the module option for complex enum variants from the value set on the complex enum module. #​4228
• Respect the Python "limited API" when building for the abi3 feature on PyPy or GraalPy. #​4237
• Optimize code generated by #[pyo3(get)] on #[pyclass] fields. #​4254
• PyCFunction::new, PyCFunction::new_with_keywords and PyCFunction::new_closure now take &'static CStr name and doc arguments (previously was &'static str). #​4255
• The experimental-declarative-modules feature is now stabilized and available by default. #​4257

Fixed

• Fix panic when PYO3_CROSS_LIB_DIR is set to a missing path. #​4043
• Fix a compile error when exporting an exception created with create_exception! living in a different Rust module using the declarative-module feature. #​4086
• Fix FFI definitions of PY_VECTORCALL_ARGUMENTS_OFFSET and PyVectorcall_NARGS to fix a false-positive assertion. #​4104
• Disable PyUnicode_DATA on PyPy: not exposed by PyPy. #​4116
• Correctly handle #[pyo3(from_py_with = ...)] attribute on dunder (__magic__) method arguments instead of silently ignoring it. #​4117
• Fix a compile error when declaring a standalone function or class method with a Python name that is a Rust keyword. #​4226
• Fix declarative modules discarding doc comments on the mod node. #​4236
• Fix __dict__ attribute missing for #[pyclass(dict)] instances when building for abi3 on Python 3.9. #​4251

v0.21.2

Compare Source

Changed

• Deprecate the PySet::empty() gil-ref constructor. #​4082

Fixed

• Fix compile error for async fn in #[pymethods] with a &self receiver and more than one additional argument. #​4035
• Improve error message for wrong receiver type in __traverse__. #​4045
• Fix compile error when exporting a #[pyclass] living in a different Rust module using the experimental-declarative-modules feature. #​4054
• Fix missing_docs lint triggering on documented #[pymodule] functions. #​4067
• Fix undefined symbol errors for extension modules on AIX (by linking libpython). #​4073

v0.21.1

Compare Source

Added

• Implement Send and Sync for PyBackedStr and PyBackedBytes. #​4007
• Implement Clone, Debug, PartialEq, Eq, PartialOrd, Ord and Hash implementation for PyBackedBytes and PyBackedStr, and Display for PyBackedStr. #​4020
• Add import_exception_bound! macro to import exception types without generating GIL Ref functionality for them. #​4027

Changed

• Emit deprecation warning for uses of GIL Refs as #[setter] function arguments. #​3998
• Add #[inline] hints on many Bound and Borrowed methods. #​4024

Fixed

• Handle #[pyo3(from_py_with = "")] in #[setter] methods #​3995
• Allow extraction of &Bound in #[setter] methods. #​3998
• Fix some uncovered code blocks emitted by #[pymodule], #[pyfunction] and #[pyclass] macros. #​4009
• Fix typo in the panic message when a class referenced in pyo3::import_exception! does not exist. #​4012
• Fix compile error when using an async #[pymethod] with a receiver and additional arguments. #​4015

v0.21.0

Compare Source

Added

• Add support for GraalPy (24.0 and up). #​3247
• Add PyMemoryView type. #​3514
• Allow async fn in for #[pyfunction] and #[pymethods], with the experimental-async feature. #​3540 #​3588 #​3599 #​3931
• Implement PyTypeInfo for PyEllipsis, PyNone and PyNotImplemented. #​3577
• Support #[pyclass] on enums that have non-unit variants. #​3582
• Support chrono feature with abi3 feature. #​3664
• FromPyObject, IntoPy<PyObject> and ToPyObject are implemented on std::duration::Duration #​3670
• Add PyString::to_cow. Add Py<PyString>::to_str, Py<PyString>::to_cow, and Py<PyString>::to_string_lossy, as ways to access Python string data safely beyond the GIL lifetime. #​3677
• Add Bound<T> and Borrowed<T> smart pointers as a new API for accessing Python objects. #​3686
• Add PyNativeType::as_borrowed to convert "GIL refs" to the new Bound smart pointer. #​3692
• Add FromPyObject::extract_bound method, to migrate FromPyObject implementations to the Bound API. #​3706
• Add gil-refs feature to allow continued use of the deprecated GIL Refs APIs. #​3707
• Add methods to PyAnyMethods for binary operators (add, sub, etc.) #​3712
• Add chrono-tz feature allowing conversion between chrono_tz::Tz and zoneinfo.ZoneInfo #​3730
• Add FFI definition PyType_GetModuleByDef. #​3734
• Conversion between std::time::SystemTime and datetime.datetime #​3736
• Add Py::as_any and Py::into_any. #​3785
• Add PyStringMethods::encode_utf8. #​3801
• Add PyBackedStr and PyBackedBytes, as alternatives to &str and &bytes where a Python object owns the data. #​3802 #​3991
• Allow #[pymodule] macro on Rust mod blocks, with the experimental-declarative-modules feature. #​3815
• Implement ExactSizeIterator for set and frozenset iterators on abi3 feature. #​3849
• Add Py::drop_ref to explicitly drop a `Py`` and immediately decrease the Python reference count if the GIL is already held. #​3871
• Allow #[pymodule] macro on single argument functions that take &Bound<'_, PyModule>. #​3905
• Implement FromPyObject for Cow<str>. #​3928
• Implement Default for GILOnceCell. #​3971
• Add PyDictMethods::into_mapping, PyListMethods::into_sequence and PyTupleMethods::into_sequence. #​3982

Changed

• PyDict::from_sequence now takes a single argument of type &PyAny (previously took two arguments Python and PyObject). #​3532
• Deprecate Py::is_ellipsis and PyAny::is_ellipsis in favour of any.is(py.Ellipsis()). #​3577
• Split some PyTypeInfo functionality into new traits HasPyGilRef and PyTypeCheck. #​3600
• Deprecate PyTryFrom and PyTryInto traits in favor of any.downcast() via the PyTypeCheck and PyTypeInfo traits. #​3601
• Allow async methods to accept &self/&mut self #​3609
• FromPyObject for set types now also accept frozenset objects as input. #​3632
• FromPyObject for bool now also accepts NumPy's bool_ as input. #​3638
• Add AsRefSource associated type to PyNativeType. #​3653
• Rename .is_true to .is_truthy on PyAny and Py<PyAny> to clarify that the test is not based on identity with or equality to the True singleton. #​3657
• PyType::name is now PyType::qualname whereas PyType::name efficiently accesses the full name which includes the module name. #​3660
• The Iter(A)NextOutput types are now deprecated and __(a)next__ can directly return anything which can be converted into Python objects, i.e. awaitables do not need to be wrapped into IterANextOutput or Option any more. Option can still be used as well and returning None will trigger the fast path for __next__, stopping iteration without having to raise a StopIteration exception. #​3661
• Implement FromPyObject on chrono::DateTime<Tz> for all Tz, not just FixedOffset and Utc. #​3663
• Add lifetime parameter to PyTzInfoAccess trait. For the deprecated gil-ref API, the trait is now implemented for &'py PyTime and &'py PyDateTime instead of PyTime and PyDate. #​3679
• Calls to __traverse__ become no-ops for unsendable pyclasses if on the wrong thread, thereby avoiding hard aborts at the cost of potential leakage. #​3689
• Include PyNativeType in pyo3::prelude. #​3692
• Improve performance of extract::<i64> (and other integer types) by avoiding call to __index__() converting the value to an integer for 3.10+. Gives performance improvement of around 30% for successful extraction. #​3742
• Relax bound of FromPyObject for Py<T> to just T: PyTypeCheck. #​3776
• PySet and PyFrozenSet iterators now always iterate the equivalent of iter(set). (A "fast path" with no noticeable performance benefit was removed.) #​3849
• Move implementations of FromPyObject for &str, Cow<str>, &[u8] and Cow<[u8]> onto a temporary trait FromPyObjectBound when gil-refs feature is deactivated. #​3928
• Deprecate GILPool, Python::with_pool, and Python::new_pool. #​3947

Removed

• Remove all functionality deprecated in PyO3 0.19. #​3603

Fixed

• Match PyPy 7.3.14 in removing PyPy-only symbol Py_MAX_NDIMS in favour of PyBUF_MAX_NDIM. #​3757
• Fix segmentation fault using datetime types when an invalid datetime module is on sys.path. #​3818
• Fix non_local_definitions lint warning triggered by many PyO3 macros. #​3901
• Disable PyCode and PyCode_Type on PyPy: PyCode_Type is not exposed by PyPy. #​3934

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.