RUSTSEC-2018-0005

Uncontrolled recursion leads to abort in deserialization

Reported

September 17, 2018

Issued

October 2, 2020

Package

serde_yaml (crates.io)

Type

Vulnerability

Keywords

#crash

Details

https://github.com/dtolnay/serde-yaml/pull/105

Patched

Unaffected

Affected versions of this crate did not properly check for recursion while deserializing aliases.

This allows an attacker to make a YAML file with an alias referring to itself causing an abort.

The flaw was corrected by checking the recursion depth.