rustsec-2026-0135
Vulnerability from osv_rustsec
Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debug_query function as Display and Debug output.
For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a #[repr(rust)] layout. This is formally undefined behaviour as the compiler is free to change the layout of these types at any time.
This vulnerability affects users that print out batch insert statements constructed using an array/vector of values without default values using diesel::debug_query on the SQLite backend.
Mitigation
The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now uses a sound cast instead.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"diesel::debug_query"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "diesel",
"purl": "pkg:cargo/diesel"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "2.3.8"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Diesel allows users to output the generated SQL for any query DSL construct via th `diesel::debug_query` function as `Display` and `Debug` output.\n\nFor the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a `#[repr(rust)]` layout. This is formally undefined behaviour as the compiler is free to change the layout of these types at any time. \n\nThis vulnerability affects users that print out batch insert statements constructed using an array/vector of values without default values using `diesel::debug_query` on the SQLite backend.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel now uses a sound cast instead.",
"id": "RUSTSEC-2026-0135",
"modified": "2026-05-13T14:16:31Z",
"published": "2026-04-24T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/diesel"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0135.html"
},
{
"type": "WEB",
"url": "https://github.com/diesel-rs/diesel/pull/5042"
}
],
"related": [],
"severity": [],
"summary": "Unsound transmute while debug/display printing batch Insert statements in Diesel\u0027s SQLite backend"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.