This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate treediff


(4 total, 1 insecure, 1 possibly insecure)

 rustc-serialize ⚠️^
 serde_json^1.0.451.0.117up to date
 serde_yaml^ to date
 yaml-rust ⚠️^ insecure

Dev dependencies

(1 total, all up-to-date)

 serde^ to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization


Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

rustc-serialize: Stack overflow in rustc_serialize when parsing deeply nested JSON


When parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.

Example code that triggers the vulnerability is

fn main() {
    let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));

serde is recommended as a replacement to rustc_serialize.