GHSA-hhw4-xg65-fp2x: 
Rust vulnerability analysis and mitigation

The serdeyml crate, a Rust package, has been identified with a moderate severity vulnerability affecting versions up to 0.12. The vulnerability was discovered and disclosed on September 15, 2025, and involves unsoundness issues that can lead to segmentation faults. The GitHub project for serdeyml was subsequently archived after these issues were raised (GitHub Advisory, RustSec Advisory).

The vulnerability is classified with a CVSS v4 score of 6.9 (Moderate severity), with local attack vector, low attack complexity, and no special privileges or user interaction required. The primary weakness is identified as CWE-787 (Out-of-bounds Write), where the product writes data past the end or before the beginning of the intended buffer. The issue specifically manifests when using serde_yml::ser::Serializer.emitter, which can trigger a segmentation fault (GitHub Advisory).

The vulnerability primarily affects system availability, with no direct impact on confidentiality or integrity. When exploited, it can cause the application to crash through segmentation faults, potentially disrupting service availability (GitHub Advisory).

No direct patches are available as the crate is unmaintained. Users are strongly recommended to switch to maintained alternatives: serdenorway (a maintained fork using unsafe-libyaml-norway) or serdeyamlng (using unmaintained unsafe-libyaml). For those seeking pure Rust alternatives, serdeyaml2 and yaml-peg are available, though these implementations do not rely on C libyaml (RustSec Advisory).

The vulnerability was initially discovered through community reporting, as documented in issue #733 of the LACT project. The community response led to the archival of the GitHub project after the unsoundness issues were raised (RustSec Issue).