An issue exists in the libflate crate prior to 0.1.25 for Rust. MultiDecoder::read has a use-after-free, leading to arbitrary code execution.
libflate project libflate