GHSA-v3rj-xjv7-4jmq: smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines

March 25, 2026

An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.

The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.

References

github.com/advisories/GHSA-v3rj-xjv7-4jmq
github.com/squirrelchat/smol-toml
github.com/squirrelchat/smol-toml/releases/tag/v1.6.1
github.com/squirrelchat/smol-toml/security/advisories/GHSA-v3rj-xjv7-4jmq

Code Behaviors & Features

Detect and mitigate GHSA-v3rj-xjv7-4jmq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →