- Reported
-
- Issued
-
- Package
-
serde_yaml
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#crash
- Details
-
https://github.com/dtolnay/serde-yaml/pull/105
- Patched
-
- Unaffected
-
Description
Affected versions of this crate did not properly check for recursion
while deserializing aliases.
This allows an attacker to make a YAML file with an alias referring
to itself causing an abort.
The flaw was corrected by checking the recursion depth.