Headline
GHSA-2226-4v3c-cff8: Stack overflow in rustc_serialize when parsing deeply nested JSON
When parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.
Example code that triggers the vulnerability is
fn main() {
let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}
serde is recommended as a replacement to rustc_serialize.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-2226-4v3c-cff8
Stack overflow in rustc_serialize when parsing deeply nested JSON
Moderate severity GitHub Reviewed Published Jun 17, 2022 • Updated Jun 17, 2022
Vulnerability details Dependabot alerts 0
Package
cargo rustc-serialize (Rust)
Affected versions
<= 0.3.24
Patched versions
None
Description
When parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.
Example code that triggers the vulnerability is
fn main() { let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000)); }
serde is recommended as a replacement to rustc_serialize.
References
- https://github.com/rust-lang-deprecated/rustc-serialize
- https://rustsec.org/advisories/RUSTSEC-2022-0004.html
Severity
Moderate
Weaknesses
No CWEs
CVE ID
No known CVE
GHSA ID
GHSA-2226-4v3c-cff8
Source code
rust-lang/rustc-serialize
See something to contribute? Suggest improvements for this vulnerability.