Name of the Vulnerable Software and Affected Versions Diesel versions <= 2.2.2

Description The issue concerns a SQL injection vulnerability that can be exploited by encoding a value larger than 4GiB, causing the length prefix in the protocol to overflow. This can lead to the server interpreting the rest of the string as binary protocol commands or other data. The vulnerability exists in Diesel due to truncating casts, which have been present in the code since its beginning. It is recommended to validate untrustworthy user input and reject any input over 4 GiB or any input that could encode to a string longer than 4 GiB.

Recommendations For versions <= 2.2.2, update to a Diesel version newer than 2.2.2, which includes fixes for the problem. As a temporary workaround, consider validating user input to reject any input over 4 GiB or any input that could encode to a string longer than 4 GiB. For web application backends, consider adding middleware that limits the size of request bodies by default. For version 2.2.3, no additional action is required as it includes the fix for the issue.