Skip to content

8 known dependency vulnerabilities including 3 HIGH severity #65

Open
Open
8 known dependency vulnerabilities including 3 HIGH severity#65
Labels
dependenciesPull requests that update a dependency filepriority:criticalMust fix immediatelysecuritySecurity-related issues
Milestone
Security Critical
@brandonrc

Description

@brandonrc
brandonrc
opened on Mar 23, 2026

Problem

cargo audit reports 8 advisories, 3 at HIGH severity:

Crate Version Issue Severity
aws-lc-sys 0.37.1 PKCS7 signature bypass HIGH
aws-lc-sys 0.37.1 CRL bypass HIGH
aws-lc-sys 0.37.1 3 additional advisories MEDIUM
quinn-proto DoS vulnerability (CVSS 8.7) HIGH
time Stack exhaustion MEDIUM
rustls-webpki CRL matching issue MEDIUM

Suggested Fix

  1. cargo update to pull latest compatible versions
  2. Bump aws-lc-sys to >= 0.39.0 (may require updating aws-sdk-* crates)
  3. Verify quinn-proto update resolves the DoS advisory
  4. Run cargo audit to confirm zero HIGH advisories remain

Source

Security audit, 2026-03-23.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filepriority:criticalMust fix immediatelysecuritySecurity-related issues

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions