logo

Database

Lack of data validation - Type confusion In diesel

Description

Unsound access to padding bytes while serializing date/time values using the Mysql backend Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their MYSQL_TIME type.

Diesel replicated this type as #[repr(C)] struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.

This vulnerability affects any user serializing date/time values using the Mysql backend.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now manually serializes the relevant data without accessing the padding bytes.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. OSV-RUSTSEC-2026-01342. GCVE-RUSTSEC-2026-01343. rustsec.org

References

1. https://github.com/diesel-rs/diesel/pull/5042

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.