Closed github-actions[bot] closed 1 year ago
Uncontrolled recursion leads to abort in deserialization
yaml-rust
0.3.5
>=0.4.1
Affected versions of this crate did not prevent deep recursion while deserializing data structures.
This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.
The flaw was corrected by checking the recursion depth.
Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:
clap 2.33
The input to the YAML parser is always trusted - is included at compile time via include_str!.
include_str!
The nesting level is never deep enough to trigger the overflow in practice (at most 5).
See advisory page for additional details.
yaml-rust0.3.5>=0.4.1Affected versions of this crate did not prevent deep recursion while deserializing data structures.
This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.
The flaw was corrected by checking the recursion depth.
Note:
clap 2.33is not affected by this because it usesyaml-rustin a way that doesn't trigger the vulnerability. More specifically:The input to the YAML parser is always trusted - is included at compile time via
include_str!.The nesting level is never deep enough to trigger the overflow in practice (at most 5).
See advisory page for additional details.