Reported

September 11, 2025

Issued

September 12, 2025 (last modified: October 28, 2025)

Package

serde_yml (crates.io)

Type

INFO Unsound

Aliases

• GHSA-hhw4-xg65-fp2x

References

• https://github.com/rustsec/advisory-db/issues/2395

Patched

no patched versions

Description

Using serde_yml::ser::Serializer.emitter can cause a segmentation fault, which is unsound.

The GitHub project for serde_yml was archived after unsoundness issues were raised.

If you rely on this crate, it is highly recommended switching to a maintained alternative.

Recommended alternatives

• serde_norway - Maintained fork of serde_yaml, using unsafe-libyaml-norway
• serde_yaml_ng - Maintained fork of serde_yaml, using unmaintained unsafe-libyaml

Incomplete pure Rust alternatives

These implementation do not rely on C libyaml.

• serde_yaml2
• yaml-peg

Advisory available under CC0-1.0 license.