GHSA-7GCF-G7XR-8HXJ: Denial of Service via Integer Underflow and Uncontrolled Allocation in serde_with
Vulnerability ID: GHSA-7GCF-G7XR-8HXJ
CVSS Score: 7.5
Published: 2026-07-15
A Denial of Service (DoS) vulnerability in the Rust crate serde_with arises from an integer underflow and uncontrolled memory allocation during the processing of empty collections using the KeyValueMap helper. Depending on the build profile, this flaw leads to an immediate thread panic (debug) or process abort due to an out-of-memory condition (release).
TL;DR
A vulnerability in the Rust crate serde_with allows remote attackers to trigger process termination via an integer underflow or uncontrolled memory allocation when deserializing crafted payloads.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-191, CWE-400, CWE-248
- Attack Vector: Network
- CVSS v3.1 Score: 7.5 (High)
- Impact: Denial of Service (DoS)
- Exploit Status: Proof-of-Concept (PoC)
- KEV Status: Not Listed
- Ransomware Use: No
Affected Systems
- serde_with (Rust crate)
-
serde_with: < 3.21.0 (Fixed in:
3.21.0)
Code Analysis
Commit: c8a1d82
Protect all collection creations against capacity overflow by using size_hint_cautious (#966)
Exploit Details
- GitHub Security Advisory: Contains disclosure text and proof-of-concept configuration examples for triggering the DoS flow.
Mitigation Strategies
- Upgrade serde_with dependency to version 3.21.0 or higher.
- Use cargo audit to scan dependency trees and lock files for vulnerable versions.
- Restrict maximum allowable payload sizes at reverse proxies or Web Application Firewalls (WAF).
Remediation Steps:
- Open the project's Cargo.toml file.
- Locate the serde_with dependency entry.
- Update the version constraint to at least '3.21.0' (e.g., serde_with = '3.21.0').
- Run cargo update serde_with to update your Cargo.lock file.
- Recompile and verify the target application via test suites under release profile.
References
- GitHub Security Advisory GHSA-7GCF-G7XR-8HXJ
- Official Pull Request #966
- Fix Commit
- Release Tag v3.21.0
Read the full report for GHSA-7GCF-G7XR-8HXJ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)