Skip to main content

Crystal 1.20.3

Release Date: July 2, 2026

Crystal 1.20.3 has been released — a security-focused patch addressing YAML parsing vulnerabilities in the standard library. All users running previous 1.20.x versions are strongly advised to upgrade.

Security Fixes

  • YAML max_nesting — Added max_nesting configuration to YAML::PullParser to prevent stack exhaustion from deeply nested YAML documents, hardening the parser against denial-of-service attacks.
  • Alias vs Anchor Ratio — A new alias vs anchor ratio check has been introduced in YAML::PullParser to mitigate algorithmic complexity attacks via crafted YAML input with excessive alias-to-anchor ratios.

Refactoring

  • Anchor Name MemoizationYAML::PullParser now memoizes anchor names during serialization, improving performance in documents with repeated alias references.

Infrastructure

  • Changelog for 1.20.3 has been added to the repository for transparency and traceability.

Crystal 1.20.3 is available now via the official installation methods. Users are encouraged to update their installations at their earliest convenience, particularly those handling untrusted YAML input in production environments.

What is New?

By continuing to use the site, you agree to the use of cookies.