RUSTSEC-2026-0135

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0135

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0135.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0135

Published

2026-04-24T12:00:00Z

Modified

2026-05-13T14:30:09.174119Z

Summary

Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend

Details

Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debug_query function as Display and Debug output.

For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a #[repr(rust)] layout. This is formally undefined behaviour as the compiler is free to change the layout of these types at any time.

This vulnerability affects users that print out batch insert statements constructed using an array/vector of values without default values using diesel::debug_query on the SQLite backend.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now uses a sound cast instead.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / diesel

Package

Name: diesel; View open source insights on deps.dev
Purl: pkg:cargo/diesel

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

2.3.8

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "arch": [],
        "functions": [
            "diesel::debug_query"
        ],
        "os": []
    }
}