RUSTSEC-2026-0111
- Source
- https://rustsec.org/advisories/RUSTSEC-2026-0111
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0111.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/RUSTSEC-2026-0111
- Published
- 2026-04-24T12:00:00Z
- Modified
- 2026-04-24T13:15:07.490499Z
- Summary
- Possible UTF-8 corruption in Diesels SQLite backend
- Details
-
Diesel uses the
sqlite3_value_textfunction to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as*const c_char. Based on that we usedstr::from_utf8_uncheckedto construct a Rust string slice without any additional UTF-8 checks in place. It turned out that this function doesn't always return correct UTF-8 strings. For field of the SQLite side storage typeBLOBthis pointer can contain arbitrary bytes, which makes the usage ofstr::from_utf8_uncheckedunsound as this violates the safety contract ofstrto only contain valid UTF-8 encoded Strings.Mitigation
The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now correctly checks whether the provides byte buffer is actually valid UTF-8, instead of relying on SQLite's documentation. This fix is included in the
2.3.8release. - Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / diesel
Package
- Name
- diesel
- View open source insights on deps.dev
- Purl
- pkg:cargo/diesel