This advisory has been withdrawn and should be ignored. It is kept only for reference.

Reported

January 26, 2022

Issued

August 15, 2022 (last modified: May 5, 2023)

Package

xml-rs (crates.io)

Type

INFO Unmaintained

References

• https://github.com/netvl/xml-rs/issues
• https://github.com/netvl/xml-rs/issues/219
• https://github.com/netvl/xml-rs/issues/210
• https://github.com/netvl/xml-rs/issues/204

Patched

no patched versions

Description

xml-rs is a XML parser has open issues around parsing including integer overflows / panics that may or may not be an issue with untrusted data.

Together with these open issues with Unmaintained status xml-rs may or may not be suited to parse untrusted data.

Alternatives

• quick-xml

Advisory available under CC0-1.0 license.