GHSA-gfxp-f68g-8x78: 
Rust vulnerability analysis and mitigation

The vulnerability affects the LibYML Rust package (versions 0.0.4 to 0.0.5) and involves unsound behavior in the libyml::string::yaml_string_extend function. The issue was discovered and reported on September 11, 2025, with the advisory being issued on September 12, 2025. The vulnerability received a high severity rating with a CVSS score of 8.7 (GitHub Advisory).

The vulnerability stems from undefined behavior in the libyml::string::yaml_string_extend function, which was introduced in version 0.0.4. The issue is classified under CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). According to the CVSS v4 metrics, the vulnerability has a network attack vector, low attack complexity, requires no privileges or user interaction, and primarily impacts system integrity (GitHub Advisory).

The vulnerability primarily affects system integrity, with no direct impact on confidentiality or availability. The CVSS metrics indicate high integrity impact on the vulnerable system, while subsequent system impacts are rated as none (GitHub Advisory).

No direct patches are available as the project has been archived. Users are strongly recommended to switch to maintained alternatives such as libyaml-safer or unsafe-libyaml-norway, which is a maintained fork of unsafe-libyaml (RustSec Advisory).

The GitHub project for LibYML was archived following the discovery of unsoundness issues, indicating a significant impact on the project's viability. The issue was initially identified in production use and reported through the RustSec advisory system (GitHub Issues).