Uncontrolled recursion leads to abort in deserialization · GHSA-39vw-qp34-rmwf · GitHub Advisory Database · GitHub

Uncontrolled recursion leads to abort in deserialization

Moderate severity GitHub Reviewed Published Aug 25, 2021 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

serde_yaml (Rust)

Affected versions

>= 0.6.0-rc1, < 0.8.4

Patched versions

0.8.4

Description

Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.

References

Reviewed Aug 6, 2021

Published to the GitHub Advisory Database Aug 25, 2021

Last updated Jun 13, 2023