Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their MYSQL TIME type.

Diesel replicated this type as #[repr(C)] struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.

This vulnerability affects any user serializing date/time values using the Mysql backend.

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Diesel now manually serializes the relevant data without accessing the padding bytes.