AIKIDO-2026-10555
diesel is vulnerable to SQL injection
78
High Risk
This Affects:
dieselTL;DR
The PostgreSQL COPY option path builds DEFAULT, NULL, DELIMITER, QUOTE, and ESCAPE text using quoted literals because binds are not available there, so an embedded single quote in a supplied option can break out of the string and change the COPY statement structure; the update escapes those quotes and handles delimiter, quote, and escape bytes that are single-quote characters. The same release also fixes several unsound or platform-API misuse issues around SQLite, MySQL, and PostgreSQL value and connection code, such as SqliteValue text and blob reading, Debug/Display and batch insert formatting, and alignment and call-order mistakes that could read padding bytes, leak memory, or expose undefined behavior. Together these changes make validation-time SQL construction and deserialization paths consistent with the documented safety of the public API.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
diesel is vulnerable to SQL injection in versions 2.0.0 - 2.3.7.
How to fix this
Upgrade the diesel library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant