DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7GCF-G7XR-8HXJ: GHSA-7GCF-G7XR-8HXJ: Denial of Service via Integer Underflow and Uncontrolled Allocation in serde_with

GHSA-7GCF-G7XR-8HXJ: Denial of Service via Integer Underflow and Uncontrolled Allocation in serde_with

Vulnerability ID: GHSA-7GCF-G7XR-8HXJ
CVSS Score: 7.5
Published: 2026-07-15

A Denial of Service (DoS) vulnerability in the Rust crate serde_with arises from an integer underflow and uncontrolled memory allocation during the processing of empty collections using the KeyValueMap helper. Depending on the build profile, this flaw leads to an immediate thread panic (debug) or process abort due to an out-of-memory condition (release).

TL;DR

A vulnerability in the Rust crate serde_with allows remote attackers to trigger process termination via an integer underflow or uncontrolled memory allocation when deserializing crafted payloads.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-191, CWE-400, CWE-248
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Proof-of-Concept (PoC)
  • KEV Status: Not Listed
  • Ransomware Use: No

Affected Systems

  • serde_with (Rust crate)
  • serde_with: < 3.21.0 (Fixed in: 3.21.0)

Code Analysis

Commit: c8a1d82

Protect all collection creations against capacity overflow by using size_hint_cautious (#966)

Exploit Details

  • GitHub Security Advisory: Contains disclosure text and proof-of-concept configuration examples for triggering the DoS flow.

Mitigation Strategies

  • Upgrade serde_with dependency to version 3.21.0 or higher.
  • Use cargo audit to scan dependency trees and lock files for vulnerable versions.
  • Restrict maximum allowable payload sizes at reverse proxies or Web Application Firewalls (WAF).

Remediation Steps:

  1. Open the project's Cargo.toml file.
  2. Locate the serde_with dependency entry.
  3. Update the version constraint to at least '3.21.0' (e.g., serde_with = '3.21.0').
  4. Run cargo update serde_with to update your Cargo.lock file.
  5. Recompile and verify the target application via test suites under release profile.

References


Read the full report for GHSA-7GCF-G7XR-8HXJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)