smol-toml 1.6.1 Patches Stack Overflow Vulnerability in TOML Parser (GHSA-v3rj-xjv7-4jmq)

A minor security vulnerability in the smol-toml library, tracked as GHSA-v3rj-xjv7-4jmq, has been patched in version 1.6.1. The flaw could allow an attacker to trigger a stack overflow by crafting a malicious TOML document containing thousands of successive commented lines, exploiting an unrestricted recursion path in the parser. This type of denial-of-service vector highlights the subtle risks present in even fundamental data parsing libraries.

The vulnerability was addressed in the smol-toml release v1.6.1, which bumps the version from 1.6.0. The fix is critical for any project that processes untrusted TOML configuration files, as an attacker could crash the application by submitting a specially crafted document. The security advisory is publicly available, and the commit history shows the version bump and related dependency upgrades as part of the maintenance cycle.

While labeled as a 'minor' vulnerability, the patch underscores the ongoing need for vigilance in software supply chains. Developers using smol-toml must update their dependencies to version 1.6.1 to mitigate the risk. The incident serves as a reminder that parsing logic, especially for ubiquitous formats like TOML, remains a potential attack surface for resource exhaustion and application instability.