{"id":"RUSTSEC-2018-0005","summary":"Uncontrolled recursion leads to abort in deserialization","details":"Affected versions of this crate did not properly check for recursion\nwhile deserializing aliases.\n\nThis allows an attacker to make a YAML file with an alias referring\nto itself causing an abort.\n\nThe flaw was corrected by checking the recursion depth.","aliases":["GHSA-39vw-qp34-rmwf"],"modified":"2023-11-08T04:14:33.650192Z","published":"2018-09-17T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/serde_yaml"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2018-0005.html"},{"type":"WEB","url":"https://github.com/dtolnay/serde-yaml/pull/105"}],"affected":[{"package":{"name":"serde_yaml","ecosystem":"crates.io","purl":"pkg:cargo/serde_yaml"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.6.0-rc1"},{"fixed":"0.8.4"}]}],"ecosystem_specific":{"affects":{"functions":[],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"informational":null,"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2018-0005.json","categories":[]}}],"schema_version":"1.7.3"}