readstat-rs is pre-1.0. Security fixes are applied to the latest published
version of each crate (readstat, readstat-cli, readstat-sys,
readstat-iconv-sys). Older versions are not maintained — please upgrade to
the latest release before reporting an issue.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report privately using GitHub's private vulnerability reporting on this repository (the Security tab → Report a vulnerability).
When reporting, please include:
- The affected crate and version.
- A description of the vulnerability and its impact.
- Steps to reproduce, ideally with a minimal
.sas7bdatsample or test case.
You can expect an initial acknowledgement within a few days. Once a fix is available, a patched release will be published to crates.io and a GitHub Security Advisory issued.
readstat-rs parses untrusted binary input (.sas7bdat files) through FFI
bindings to the ReadStat C library.
Memory-safety is therefore a primary concern. The project runs automated
memory-safety checks in CI (Miri, and AddressSanitizer on Linux, macOS, and
Windows) plus a weekly fuzzing harness; Valgrind is run manually. See
docs/MEMORY-SAFETY.md and
docs/TESTING.md.
Vulnerabilities that originate in the upstream ReadStat C library may be forwarded to the ReadStat project in addition to being addressed here where feasible.