This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate clap


(10 total, 4 outdated, 1 insecure)

 atty^ to date
 bitflags^ to date
 clippy~0.0.1660.0.302up to date
 strsim^ of date
 term_size^ to date
 textwrap^ of date
 unicode-width^ to date
 vec_map^ to date
 ansi_term^ of date

Dev dependencies

(3 total, 1 outdated)

 lazy_static^ to date
 regex^11.4.6up to date
 version-sync^ of date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization


Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).