Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debug query function as Display and Debug output.

For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a #[repr(rust)] layout. This is formally undefined behaviour as the compiler is free to change the layout of these types at any time.

This vulnerability affects users that print out batch insert statements constructed using an array/vector of values without default values using diesel::debug query on the SQLite backend.

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Diesel now uses a sound cast instead.