Reported

September 17, 2018

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

serde_yaml (crates.io)

Type

Vulnerability

Keywords

#crash

Aliases

• GHSA-39vw-qp34-rmwf

References

• https://github.com/dtolnay/serde-yaml/pull/105

Patched

• >=0.8.4

Unaffected

• <0.6.0-rc1

Description

Affected versions of this crate did not properly check for recursion while deserializing aliases.

This allows an attacker to make a YAML file with an alias referring to itself causing an abort.

The flaw was corrected by checking the recursion depth.

Advisory available under CC0-1.0 license.