GHSA-hhw4-xg65-fp2x: 
Rust vulnerability analysis and mitigation

The serde_yml crate, a Rust serialization library, has been identified with a critical vulnerability (GHSA-hhw4-xg65-fp2x) that affects all versions up to and including 0.0.12. The vulnerability was discovered and disclosed in September 2025, impacting the Rust ecosystem. The issue primarily affects the serialization functionality of the crate, which has been found to be unsound and is now unmaintained (GitHub Advisory).

The vulnerability stems from unsoundness in the serde_yml::ser::Serializer.emitter implementation that can trigger segmentation faults during execution. The issue has been assigned a CVSS v4 base score of 6.9 (Moderate severity), with local attack vector, low attack complexity, and no required privileges or user interaction. The vulnerability is classified as CWE-787 (Out-of-bounds Write), where the product writes data beyond the intended buffer boundaries (GitHub Advisory, RustSec Advisory).

The primary impact of this vulnerability is on system availability, with the potential to cause segmentation faults that can crash applications using the affected crate. The vulnerability has no direct impact on system confidentiality or integrity, but the unsoundness of the implementation poses significant reliability risks for dependent applications (GitHub Advisory).

No direct patches are available as the crate is now unmaintained. Users are strongly recommended to migrate to alternative maintained solutions. Recommended alternatives include serdenorway (using unsafe-libyaml-norway) and serdeyamlng (using unmaintained unsafe-libyaml). For those seeking pure Rust alternatives, serdeyaml2 and yaml-peg are available, though these implementations are noted as incomplete (RustSec Advisory).

The GitHub project for serde_yml has been archived following the discovery of these unsoundness issues, indicating a significant impact on the project's viability. The security community has responded by developing and recommending several alternative implementations to help users migrate away from the vulnerable crate (GitHub Advisory).