{"id":"RUSTSEC-2026-0138","summary":"Unsound access to padding bytes while serializing date/time values using the Mysql backend","details":"Diesel-async uses the mysql-async crate for interacting with Mysql compatible databases. This library already provides access to deserialized data for date/time releated types. Diesel-async then translated these deserialized data back to their serialized binary representation to hook into diesels desearialization framework.\n\nWhile serializing these data/time values again Diesel-async relied on a cast between the `MysqlTime` `#[repr(C)]` struct (defined by Diesel) and a byte array. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.\n\nThis vulnerability affects any user deserializing date/time values using the Mysql backend and diesel-async.\n\nThis affects any usage of the following functions with a `AsyncMysqlConnection` provided by diesel-async:\n\n* `diesel::serialize::FromSql\u003cTimestamp, Mysql\u003e`\n* `diesel::serialize::FromSql\u003cTime, Mysql\u003e`\n* `diesel::serialize::FromSql\u003cDate, Mysql\u003e`\n* `diesel::serialize::FromSql\u003cDateTime, Mysql\u003e`\n\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel-async version 0.9.0 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel-async now just calls a safe serialization method provided by Diesel 2.3.9 and newer","modified":"2026-05-13T14:32:26.464180Z","published":"2026-04-30T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/diesel-async"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0138.html"},{"type":"ADVISORY","url":"https://github.com/diesel-rs/diesel_async/security/advisories/GHSA-ff9q-rm55-q7qr"}],"affected":[{"package":{"name":"diesel-async","ecosystem":"crates.io","purl":"pkg:cargo/diesel-async"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.9.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"os":[],"arch":[]}},"database_specific":{"informational":"unsound","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0138.json","cvss":null,"categories":[]}}],"schema_version":"1.7.5"}