quick-xml is vulnerable to Denial of Service
39
Low Risk
The serde deserializer in quick-xml mishandles a DOCTYPE declaration that appears between two text runs inside an element's content. The text-merge step stops at the DOCTYPE instead of treating it as transparent, so two separate text events reach the reader and violate its single-text-run invariant, triggering a reachable unreachable!() panic. An attacker who can supply crafted XML to a deserialization call can abort the parsing thread. The fix treats DOCTYPE as transparent during the text drain so the surrounding text merges into one run.
You are affected if you are using a version that falls within the vulnerable range and your application deserializes untrusted XML with the serde deserializer.
quick-xml is vulnerable to Denial of Service in versions 0.31.0 - 0.40.0.
Upgrade the quick-xml library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant