N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-gfxp-f68g-8x78

EPSS Score

CWE

CWE-758

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-gfxp-f68g-8x78

GHSA-gfxp-f68g-8x78: LibYML: `libyml::string::yaml_string_extend` is unsound and unmaintained

In version 0.0.4, libyml::string::yaml_string_extend was revised resulting in undefined behaviour, which is unsound.

The GitHub project for libyml was archived after unsoundness issues were raised.

If you rely on this crate, it is highly recommended switching to a maintained alternative.

Recommended alternatives

libyaml-safer
unsafe-libyaml-norway - Maintained fork of unsafe-libyaml

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-gfxp-f68g-8x78

EPSS Score

CWE

CWE-758

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libyml	rust	>= 0.0.4, <= 0.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated commits reveals that the vulnerability was introduced in version 0.0.4 of the libyml crate. The core of the vulnerability lies in the libyml::string::yaml_string_extend function, which was refactored in commit e9eef0466fd3761bebe8bce1b6d798697a1c7d3a. The revised implementation of this function introduces undefined behavior by using a pointer after it has been potentially deallocated by realloc. Specifically, the code calculates a pointer offset from a buffer that has just been reallocated, which is a classic use-after-free vulnerability. The function libyml::string::yaml_string_join is a primary caller of the vulnerable yaml_string_extend function, making it a key indicator that would appear in a runtime profile or stack trace during exploitation. The project was subsequently archived due to these soundness issues, and no patch is available.

Vulnerable functions

libyml::string::yaml_string_extend

src/string.rs

The function reallocates a buffer using `yaml_realloc`, which may free the memory pointed to by `*start`. Subsequently, it calculates an offset from this potentially dangling pointer using `(*pointer).offset_from(*start)`. This constitutes a use-after-free, leading to undefined behavior.

libyml::string::yaml_string_join

src/string.rs

This function acts as a runtime indicator for the vulnerability because it directly calls the vulnerable function `yaml_string_extend` within a loop. When the conditions are met to trigger the undefined behavior in `yaml_string_extend`, `yaml_string_join` will be present in the execution stack.

WAF Protection Rules

WAF Rule

In v*rsion *.*.*, `li*yml::strin*::y*ml_strin*_*xt*n*` w*s r*vis** r*sultin* in un***in** ****viour, w*i** is unsoun*. T** *it*u* proj**t *or `li*yml` w*s *r**iv** **t*r unsoun*n*ss issu*s w*r* r*is**. I* you r*ly on t*is *r*t*, it is *i**ly r**omm

Reasoning

T** *n*lysis o* t** s**urity **visory *n* t** *sso*i*t** *ommits r*v**ls t**t t** vuln*r**ility w*s intro*u*** in v*rsion *.*.* o* t** `li*yml` *r*t*. T** *or* o* t** vuln*r**ility li*s in t** `li*yml::strin*::y*ml_strin*_*xt*n*` *un*tion, w*i** w*s

N/A

Basic Information

Concerned about an active attack path?

GHSA-gfxp-f68g-8x78: LibYML: `libyml::string::yaml_string_extend` is unsound and unmaintained

Recommended alternatives

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI