Reported

April 30, 2026

Issued

May 13, 2026

Package

diesel-async (crates.io)

Type

INFO Unsound

References

• https://github.com/diesel-rs/diesel_async/security/advisories/GHSA-ff9q-rm55-q7qr

Patched

• >=0.9.0

Description

Diesel-async uses the mysql-async crate for interacting with Mysql compatible databases. This library already provides access to deserialized data for date/time releated types. Diesel-async then translated these deserialized data back to their serialized binary representation to hook into diesels desearialization framework.

While serializing these data/time values again Diesel-async relied on a cast between the MysqlTime #[repr(C)] struct (defined by Diesel) and a byte array. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.

This vulnerability affects any user deserializing date/time values using the Mysql backend and diesel-async.

This affects any usage of the following functions with a AsyncMysqlConnection provided by diesel-async:

• diesel::serialize::FromSql<Timestamp, Mysql>
• diesel::serialize::FromSql<Time, Mysql>
• diesel::serialize::FromSql<Date, Mysql>
• diesel::serialize::FromSql<DateTime, Mysql>

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel-async version 0.9.0 or newer, which includes fixes for the problem.

Resolution

Diesel-async now just calls a safe serialization method provided by Diesel 2.3.9 and newer

Advisory available under CC0-1.0 license.