Empty environment variable key
| Vulnerability potential | Low |
| DDoS potential | Low |
Environment variable operations require a non-empty key
Impact
std::env::set_var and std::env::remove_var panic if the key is empty,
contains an ASCII = (0x3D), or contains a NUL byte (0x00); on most
platforms the key must also be valid Unicode. An empty key is the most common
trigger and produces a panic such as
environment variable name cannot be empty. The current thread unwinds, and if
it is main the process exits with code 101 (or aborts under
panic = "abort").
The defect is usually a logic or input-validation slip: a key string is built
from configuration or user input and turns out to be empty (or to contain =),
so a call meant to set an environment variable instead crashes the program. The
blast radius is whatever depended on that thread.
Vulnerability potential
- Denial of service. If the key passed to
set_var/remove_varis derived from untrusted input and an attacker can make it empty or insert=/NUL, they force a panic; on a critical thread or underpanic = "abort"this crashes the process.
It is otherwise low-impact: the panic is well-defined, memory-safe, and the
input that reaches an environment-mutation call is rarely attacker-controlled in
practice. Note also that set_var/remove_var were made unsafe in Rust 2024
because mutating the process environment is not thread-safe, which is a separate
and arguably larger concern than the empty-key panic.
Technical details
The key validation lives in the platform set_var/remove_var implementations.
Empty keys, keys containing =, and keys containing interior NUL are rejected
because the underlying OS environment representation (NAME=VALUE C strings)
cannot encode them unambiguously: = is the name/value separator and NUL
terminates the C string. The functions therefore panic! rather than silently
corrupt the environment block.
Reads do not panic
std::env::var(key) and var_os(key) do not panic on an empty or odd key —
they simply return Err(VarError::NotPresent) / None. Only the mutating
calls validate and panic, so the defect is specific to set_var/remove_var.
Catching the issue
Validation
Validate keys before mutating the environment: reject empty strings and any key
containing = or NUL, ideally constraining keys to a known charset
([A-Za-z_][A-Za-z0-9_]*). Treat environment names derived from external input
as untrusted.
Lint and review
Code review should flag set_var/remove_var calls with dynamically built keys
and ensure a non-empty, well-formed key is guaranteed. Under Rust 2024 these
calls are unsafe, so each already requires a # Safety justification that can
also cover key validity. Tests that exercise the empty-key path will surface the
panic immediately.
How to reproduce
Run the following; observe the panic on the empty key.
fn main() {
let key = ""; // built from config/input; turns out empty
std::env::set_var(key, "value"); // panic: environment variable name cannot be empty
println!("set");
}