We release security updates for the following versions:
| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| < 0.4 | ❌ |
Note: We only support the latest minor version. Please upgrade to receive security updates.
We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure practices.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues privately:
- Email: Send details to the project maintainers (contact via GitHub profile)
- GitHub Security Advisory: Use GitHub's private vulnerability reporting
Please provide as much information as possible:
- Vulnerability Description: What is the security issue?
- Affected Components: Which parts of the project are affected?
- Rust crates (fast-yaml-core, fast-yaml-linter, etc.)
- Python bindings
- NodeJS bindings
- Impact Assessment: What can an attacker accomplish?
- Reproduction Steps: Detailed steps to reproduce the issue
- Environment Details:
- Operating system
- Rust version
- Python/NodeJS version (if applicable)
- fast-yaml version
- Proof of Concept: Code example demonstrating the issue (if available)
- Suggested Fix: Any ideas for remediation (optional)
Subject: [SECURITY] Buffer overflow in YAML parser
Description:
A buffer overflow vulnerability exists in the YAML parser when
processing malformed input with deeply nested structures.
Affected Component:
- fast-yaml-core v0.4.0
- All language bindings (Python, NodeJS)
Impact:
An attacker can cause a denial of service or potentially execute
arbitrary code by providing a crafted YAML file with 1000+ levels
of nesting.
Reproduction:
1. Create a YAML file with deeply nested mappings (see attached poc.yaml)
2. Parse the file using fast_yaml.safe_load()
3. Application crashes with segmentation fault
Environment:
- OS: Ubuntu 22.04
- Rust: 1.88.0
- fast-yaml: 0.4.0
- Python: 3.11
PoC: [Attached or link to private repository]
We aim to respond to security reports according to the following timeline:
| Stage | Timeline |
|---|---|
| Initial Response | Within 48 hours |
| Vulnerability Assessment | Within 7 days |
| Fix Development | Within 30 days (depending on severity) |
| Security Patch Release | As soon as fix is ready and tested |
| Public Disclosure | 90 days after patch release (coordinated) |
We classify vulnerabilities using the following severity levels:
Critical:
- Remote code execution
- Authentication bypass
- Data exfiltration
High:
- Denial of service
- Privilege escalation
- Memory corruption
Medium:
- Information disclosure
- Logic errors with security implications
Low:
- Minor information leaks
- Best practice violations
Input Validation:
// Always validate input size before parsing
const MAX_INPUT_SIZE: usize = 10 * 1024 * 1024; // 10 MB
if input.len() > MAX_INPUT_SIZE {
return Err("Input too large");
}
fast_yaml_core::parse(input)?;Resource Limits:
import fast_yaml
# Set reasonable limits for production
yaml_content = open('data.yaml').read()
if len(yaml_content) > 10 * 1024 * 1024: # 10 MB
raise ValueError("YAML file too large")
data = fast_yaml.safe_load(yaml_content)Untrusted Input:
- Always use
safe_load()for untrusted YAML (notload()) - Validate YAML structure against expected schema
- Set resource limits (file size, parsing time)
- Run in sandboxed environments for untrusted sources
Security Tooling:
All contributors must run security checks before submitting PRs:
Rust dependencies:
# Check for known vulnerabilities
cargo audit
# Comprehensive dependency check
cargo deny check
# Check only security advisories
cargo deny check advisories
# Check license compliance
cargo deny check licensesNodeJS dependencies:
cd nodejs
# Check for vulnerabilities
npm audit
# Fail on high/critical only
npm audit --audit-level=high
# Auto-fix when possible
npm audit fix
# Generate detailed report
npm audit --json > audit-report.jsonPython dependencies:
cd python
# Check with pip-audit (if available)
uv pip install pip-audit
uv run pip-auditSecurity-critical code areas requiring extra scrutiny:
-
FFI Boundaries:
- Python bindings (
python/src/) - NodeJS bindings (
nodejs/src/) - Memory safety across language boundaries
- Python bindings (
-
Parser Logic:
- Input validation in
fast-yaml-core - Recursive parsing depth limits
- Memory allocation patterns
- Input validation in
-
Parallel Processing:
- Thread safety in
fast-yaml-parallel - Data race prevention
- Resource cleanup
- Thread safety in
-
Error Handling:
- Panic-free error propagation
- No information leaks in error messages
- Safe error recovery
Memory Safety:
- Written in Rust with
unsafe_code = "deny"(minimal unsafe limited to FFI boundaries) - All unsafe code explicitly documented with SAFETY comments
- Core parsing and linting logic is 100% safe Rust
- No manual memory management in safe code
- Automatic bounds checking
Input Validation:
- YAML 1.2.2 spec compliance
- Safe schema support only (no arbitrary code execution)
- Configurable resource limits
Dependency Security:
- Automated dependency scanning with cargo-audit
- License compliance checks with cargo-deny
- Regular security updates
Testing:
- Fuzzing for parser robustness (planned)
- Security test cases in test suite
- Coverage: ≥80% for critical paths
Large File Handling:
- Very large YAML files (>1GB) may cause high memory usage
- Recommendation: Use streaming/chunking for large files
- Parallel processing available for multi-document streams
Nested Structures:
- Deep nesting (>100 levels) may impact performance
- Stack overflow protection in place
- Configurable recursion limits (future feature)
We monitor and update dependencies regularly:
- Dependabot enabled for automatic security updates
- Weekly dependency review
- Quarterly major version updates
Automated scanning in CI/CD pipeline:
# .github/workflows/ci.yml
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: taiki-e/install-action@cargo-deny
- run: cargo deny check- Internal security reviews before major releases
- Community security audits welcome
- Professional security audit planned for v1.0
We appreciate security researchers who responsibly disclose vulnerabilities:
- Security contributors will be credited in CHANGELOG.md
- Public acknowledgment after coordinated disclosure
- Recognition in security advisories
For security concerns:
- Private Reports: Use GitHub Security Advisories or email maintainers
- General Questions: Open a GitHub Discussion
- Public Issues: Only for non-security bugs
This security policy is part of the fast-yaml project and is licensed under MIT and Apache-2.0.