GHSA-jf5h-cf95-w759: Optional `Deserialize` implementations lacking validation
When activating the non-default feature serialize
, most structs implement
serde::Deserialize
without sufficient validation. This allows breaking
invariants in safe code, leading to:
- Undefined behavior in
as_string()
methods (which usestd::str::from_utf8_unchecked()
internally). - Panics due to failed assertions.
See https://github.com/gz/rust-cpuid/issues/43.
References
Detect and mitigate GHSA-jf5h-cf95-w759 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →