You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 2, 2022. It is now read-only.
yaml-rust0.3.5>=0.4.1Affected versions of this crate did not prevent deep recursion while
deserializing data structures.
This allows an attacker to make a YAML file with deeply nested structures
that causes an abort while deserializing it.
The flaw was corrected by checking the recursion depth.
Note:
clap 2.33is not affected by this because it usesyaml-rustin a way that doesn't trigger the vulnerability. More specifically:
The input to the YAML parser is always trusted - is included at compile
time via
include_str!.The nesting level is never deep enough to trigger the overflow in practice
(at most 5).
See advisory page for additional details.