GHSA-39vw-qp34-rmwf: Uncontrolled recursion leads to abort in deserialization

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.

References

github.com/advisories/GHSA-39vw-qp34-rmwf
github.com/dtolnay/serde-yaml
github.com/dtolnay/serde-yaml/commit/b93aff6e904cffbbfd1f421b82f6dcc5ca19a4fd
github.com/dtolnay/serde-yaml/pull/105
rustsec.org/advisories/RUSTSEC-2018-0005.html

Code Behaviors & Features

Detect and mitigate GHSA-39vw-qp34-rmwf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →