Diesel fixes SQLite unsoundness after invalid UTF-8 string assumption

Diesel’s SQLite backend had a sharp edge at the exact place Rust is supposed to be safest: the boundary between foreign data and a Rust string. RustSec flagged the issue as RUSTSEC-2026-0111 on April 24, 2026, classifying it as INFO and Unsound after Diesel had treated SQLite output as if it were always valid UTF-8.

The bug lived in `diesel::deserialize::FromSql::<Text,Sqlite>::from_sql` and `diesel::sqlite::SqliteValue::read_str` in Diesel versions before 2.3.8. Diesel used `sqlite3_value_text` while deserializing query results and then built Rust string slices with `str::from_utf8_unchecked`, assuming the bytes coming back from SQLite would always satisfy Rust’s UTF-8 rules. That assumption broke when SQLite stored data in a BLOB-typed field, where the API can hand back arbitrary bytes. The result was not just a bad parse, but a breach of `str`’s safety contract.

For Rust apps that use Diesel with SQLite, the practical exposure is straightforward: any code path that reads text from SQLite and trusts Diesel to deliver a valid `&str` or `String` was in scope before 2.3.8. The risk is highest in projects that mix text and blob storage, lean on SQLite’s flexible typing, or accept data from sources that do not enforce text encoding at insertion time. SQLite’s own documentation makes the underlying trap easy to miss, because its type system is dynamic, any column may store any storage class, and BLOB values are stored exactly as input. SQLite 3.37.0, released on 2021-11-27, added STRICT tables for developers who want rigid type enforcement.

Diesel 2.3.8 already includes the fix, with pull request #5042 as the upstream reference. Its release notes show this was part of a broader hardening pass, including fixes for unsound string construction in SQLite text reads and invalid call order of SQLite API functions across text and blob reads. That larger context matters because it shows the bug was not an isolated slip, but a reminder that safe Rust still depends on every unchecked conversion being justified all the way out at the FFI boundary.

The immediate move is to upgrade to Diesel 2.3.8 or later, then rerun tests around SQLite text and blob handling. For teams that have treated Diesel’s types as a final guarantee, this is the kind of bug that proves the real guarantee ends where the database API’s assumptions begin.