The Index and IndexMut implementations for Caja use unchecked pointer arithmetic without bounds validation. Creating a Caja with a small key and then accessing an out-of-range index causes out-of-bounds reads or writes beyond the allocated memory.

This can be triggered through safe public APIs — the [] indexing operator on a Caja with an out-of-range index — with no unsafe required from the caller.