Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.deserialization

Avoid untyped YAML deserialization

Untyped `serde_yaml` deserialization can instantiate arbitrary types from untrusted input.

#Metadata

Rule ID
rust.security.insecure-yaml-load
Severity
high
Confidence
0.85
Languages
rust
Presets
security, strict
Stability
experimental
Applies to
block
Tags
deserialization, rules-catalog, rust, security, yaml

#Why it matters

YAML loaders without strict typing enable unsafe object graphs and unexpected type coercion.

#Remediation

Deserialize into explicit structs or enums and validate input before use.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/rust/rust.security.insecure-yaml-load.rule.yaml.

Back to directoryOpen rule in repository