GHSA-gfxp-f68g-8x78: 
Rust vulnerability analysis and mitigation

The vulnerability GHSA-gfxp-f68g-8x78 affects the LibYML Rust package (libyml), specifically versions 0.0.4 through 0.0.5. The issue was discovered and reported on September 11, 2025, and was published to the GitHub Advisory Database on September 15, 2025. The vulnerability stems from an unsound implementation of the libyml::string::yaml_string_extend function that was introduced in version 0.0.4, resulting in undefined behavior (GitHub Advisory).

The vulnerability has been assigned a High severity rating with a CVSS score of 8.7. The CVSS v4 metrics indicate that the vulnerability can be exploited over the network with low attack complexity, requires no privileges or user interaction, and primarily impacts system integrity. The vulnerability is classified under CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior) (GitHub Advisory).

The primary impact of this vulnerability is on system integrity, with no direct effects on confidentiality or availability. The undefined behavior in the yaml_string_extend function could lead to memory corruption or other unexpected behavior in applications using the affected versions of the library (GitHub Advisory).

There are no patched versions available as the project has been archived. Users are strongly recommended to switch to maintained alternatives such as libyaml-safer or unsafe-libyaml-norway, which is a maintained fork of unsafe-libyaml (RustSec Advisory).

The GitHub project for libyml was archived following the discovery of unsoundness issues, indicating a significant impact on the project's viability. The security community has responded by recommending alternative maintained libraries (RustSec Advisory).