This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate treediff

Dependencies

(4 total, 1 insecure, 1 possibly insecure)

CrateRequiredLatestStatus
 rustc-serialize ⚠️^0.3.240.3.25insecure
 serde_json^1.0.451.0.117up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 yaml-rust ⚠️^0.40.4.5maybe insecure

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.203up to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

rustc-serialize: Stack overflow in rustc_serialize when parsing deeply nested JSON

RUSTSEC-2022-0004

When parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.

Example code that triggers the vulnerability is

fn main() {
    let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}

serde is recommended as a replacement to rustc_serialize.