advisory-db/crates/serde_yaml/RUSTSEC-2018-0005.md

[advisory]
id = "RUSTSEC-2018-0005"
package = "serde_yaml"
date = "2018-09-17"
keywords = ["crash"]
url = "https://github.com/dtolnay/serde-yaml/pull/105"
aliases = ["GHSA-39vw-qp34-rmwf"]

[versions]
patched = [">= 0.8.4"]
unaffected = ["< 0.6.0-rc1"]

Uncontrolled recursion leads to abort in deserialization

Affected versions of this crate did not properly check for recursion while deserializing aliases.

This allows an attacker to make a YAML file with an alias referring to itself causing an abort.

The flaw was corrected by checking the recursion depth.