HistoryEdit

RUSTSEC-2018-0005

Uncontrolled recursion leads to abort in deserialization

Reported
Issued
Package
serde_yaml (crates.io)
Type
Vulnerability
Keywords
#crash
Details
https://github.com/dtolnay/serde-yaml/pull/105
Patched
  • >=0.8.4
Unaffected
  • <0.6.0-rc1

Description

Affected versions of this crate did not properly check for recursion while deserializing aliases.

This allows an attacker to make a YAML file with an alias referring to itself causing an abort.

The flaw was corrected by checking the recursion depth.