GHSA-jf5h-cf95-w759: Optional `Deserialize` implementations lacking validation

June 17, 2022

When activating the non-default feature serialize, most structs implement serde::Deserialize without sufficient validation. This allows breaking invariants in safe code, leading to:

Undefined behavior in as_string() methods (which use std::str::from_utf8_unchecked() internally).
Panics due to failed assertions.

See https://github.com/gz/rust-cpuid/issues/43.

References

github.com/advisories/GHSA-jf5h-cf95-w759
github.com/gz/rust-cpuid
github.com/gz/rust-cpuid/issues/43
rustsec.org/advisories/RUSTSEC-2021-0089.html

Code Behaviors & Features

Detect and mitigate GHSA-jf5h-cf95-w759 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →