{"id":"RUSTSEC-2022-0004","summary":"Stack overflow in rustc_serialize when parsing deeply nested JSON","details":"When parsing JSON using `json::Json::from_str`, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.\n\nExample code that triggers the vulnerability is\n\n```rust\nfn main() {\n    let _ = rustc_serialize::json::Json::from_str(&\"[0,[\".repeat(10000));\n}\n```\n\n[serde](https://crates.io/crates/serde) is recommended as a replacement to rustc_serialize.","aliases":["GHSA-2226-4v3c-cff8"],"modified":"2023-11-08T04:13:48.926151Z","published":"2022-01-01T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rustc-serialize"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0004.html"}],"affected":[{"package":{"name":"rustc-serialize","ecosystem":"crates.io","purl":"pkg:cargo/rustc-serialize"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":["rustc_serialize::json::Json::from_str"],"arch":[],"os":[]}},"database_specific":{"categories":["denial-of-service"],"informational":null,"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0004.json"}}],"schema_version":"1.7.3"}