GHSA-hhw4-xg65-fp2x: serde_yml crate is unsound and unmaintained

September 15, 2025 (updated November 10, 2025)

Using serde_yml::ser::Serializer.emitter can cause a segmentation fault, which is unsound.

The GitHub project for serde_yml was archived after unsoundness issues were raised.

If you rely on this crate, it is highly recommended switching to a maintained alternative.

References

github.com/advisories/GHSA-hhw4-xg65-fp2x
github.com/rustsec/advisory-db/issues/2395
github.com/sebastienrousseau/serde_yml
rustsec.org/advisories/RUSTSEC-2025-0068.html

Code Behaviors & Features

Detect and mitigate GHSA-hhw4-xg65-fp2x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →