{"ecosystem":"cargo","package":"serde_yaml","version":null,"bugs":[{"id":910,"ecosystem":"cargo","package_name":"serde_yaml","affected_version":"0.6.0-rc1","fixed_version":"0.8.4","bug_id":"osv:RUSTSEC-2018-0005","title":"Uncontrolled recursion leads to abort in deserialization","description":"Affected versions of this crate did not properly check for recursion\nwhile deserializing aliases.\n\nThis allows an attacker to make a YAML file with an alias referring\nto itself causing an abort.\n\nThe flaw was corrected by checking the recursion depth.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/serde_yaml","labels":["GHSA-39vw-qp34-rmwf"],"created_at":"2026-04-19T04:32:12.685347+00:00","updated_at":"2026-04-19T04:32:12.685347+00:00"},{"id":909,"ecosystem":"cargo","package_name":"serde_yaml","affected_version":"0.6.0-rc1","fixed_version":"0.8.4","bug_id":"osv:GHSA-39vw-qp34-rmwf","title":"Uncontrolled recursion leads to abort in deserialization","description":"Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/dtolnay/serde-yaml/pull/105","labels":["RUSTSEC-2018-0005"],"created_at":"2026-04-19T04:32:12.684353+00:00","updated_at":"2026-04-19T04:32:12.684353+00:00"}],"total":2,"_cache":"miss"}