{"id":"RUSTSEC-2026-0135","summary":"Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend","details":"Diesel allows users to output the generated SQL for any query DSL construct via th `diesel::debug_query` function as `Display` and `Debug` output.\n\nFor the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a `#[repr(rust)]` layout. This is formally undefined behaviour as the compiler is free to change the layout of these types at any time. \n\nThis vulnerability affects users that print out batch insert statements constructed using an array/vector of values without default values using `diesel::debug_query` on the SQLite backend.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel now uses a sound cast instead.","modified":"2026-05-13T14:30:09.174119Z","published":"2026-04-24T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/diesel"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0135.html"},{"type":"WEB","url":"https://github.com/diesel-rs/diesel/pull/5042"}],"affected":[{"package":{"name":"diesel","ecosystem":"crates.io","purl":"pkg:cargo/diesel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"2.3.8"}]}],"ecosystem_specific":{"affects":{"functions":["diesel::debug_query"],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"informational":"unsound","cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0135.json","categories":[]}}],"schema_version":"1.7.5"}