RUSTSEC-2025-0068

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2025-0068

Import Source

JSON Data

https://api.test.osv.dev/v1/vulns/RUSTSEC-2025-0068

Published

2025-09-11T12:00:00Z

Modified

2025-09-12T07:28:19Z

Summary

serde_yml crate is unsound and unmaintained

Details

Using serde_yml::ser::Serializer.emitter can cause a segmentation fault, which is unsound.

The GitHub project for serde_yml was archived after unsoundness issues were raised.

If you rely on this crate, it is highly recommended switching to a maintained alternative.

Recommended alternatives

<code>serde_norway</code> - Maintained fork of serde_yaml, using unsafe-libyaml-norway
<code>serde_yaml_ng</code> - Maintained fork of serde_yaml, using unmaintained unsafe-libyaml

These implementation do not rely on C libyaml.

Database specific

{
    "license": "CC0-1.0"
}

References

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

{
    "informational": "unsound",
    "categories": [],
    "cvss": null
}