RUSTSEC-2026-0138
- Source
- https://rustsec.org/advisories/RUSTSEC-2026-0138
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0138.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2026-0138
- Published
- 2026-04-30T12:00:00Z
- Modified
- 2026-05-13T14:32:26.464180Z
- Summary
- Unsound access to padding bytes while serializing date/time values using the Mysql backend
- Details
-
Diesel-async uses the mysql-async crate for interacting with Mysql compatible databases. This library already provides access to deserialized data for date/time releated types. Diesel-async then translated these deserialized data back to their serialized binary representation to hook into diesels desearialization framework.
While serializing these data/time values again Diesel-async relied on a cast between the
MysqlTime#[repr(C)]struct (defined by Diesel) and a byte array. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.This vulnerability affects any user deserializing date/time values using the Mysql backend and diesel-async.
This affects any usage of the following functions with a
AsyncMysqlConnectionprovided by diesel-async:diesel::serialize::FromSql<Timestamp, Mysql>diesel::serialize::FromSql<Time, Mysql>diesel::serialize::FromSql<Date, Mysql>diesel::serialize::FromSql<DateTime, Mysql>
Mitigation
The preferred mitigation to the outlined problem is to update to Diesel-async version 0.9.0 or newer, which includes fixes for the problem.
Resolution
Diesel-async now just calls a safe serialization method provided by Diesel 2.3.9 and newer
- Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / diesel-async
Package
- Name
- diesel-async
- View open source insights on deps.dev
- Purl
- pkg:cargo/diesel-async