Skip to content

Upgrade alloy-dyn-abi to 1.4.1 #1252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Upgrade alloy-dyn-abi to 1.4.1 #1252

wants to merge 2 commits into from
+2,568 −2,607

Conversation

rakanalh
Copy link

This is based on a warning generated by cargo-deny in Citrea's codebase:

error[vulnerability]: DoS vulnerability on `alloy_dyn_abi::TypedData` hashing
   ┌─ /home/rakan/Work/Chainway/citrea/Cargo.lock:23:1
   │
23 │ alloy-dyn-abi 1.1.2 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2025-0073
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0073
   ├ An uncaught panic triggered by malformed input to `alloy_dyn_abi::TypedData` could lead to a denial-of-service (DoS) via `eip712_signing_hash()`.

     Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

     The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version [v1.4.1](https://crates.io/crates/alloy-dyn-abi/1.4.1) and backported to [v0.8.26](https://crates.io/crates/alloy-dyn-abi/0.8.26).

     There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.

     Reported by [Christian Reitter](https://github.com/cr-tk) & [Zeke Mostov](https://github.com/emostov) from [Turnkey](https://www.turnkey.com/).
   ├ Announcement: https://github.com/alloy-rs/core/security/advisories/GHSA-pgp9-98jm-wwq2
   ├ Solution: Upgrade to >=0.8.26, <1.0.0 OR >=1.4.1 (try `cargo update -p alloy-dyn-abi`)
   ├ alloy-dyn-abi v1.1.2
     ├── alloy-contract v1.0.9
     │   └── alloy v1.0.9
     │       ├── boundless-market v1.0.0
     │       │   └── citrea-risc0-adapter v0.7.5
     │       │       └── (dev) citrea v0.7.5
     │       └── risc0-ethereum-contracts v3.0.1
     │           └── boundless-market v1.0.0 (*)
     └── alloy-core v1.1.2
         └── alloy v1.0.9 (*)

We'll upgrade our version of boundless when this PR is merged and is included in a release so that we make sure we're clear on the security front reported by cargo deny.

@rakanalh rakanalh mentioned this pull request Oct 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@capossele capossele Awaiting requested review from capossele capossele is a code owner

@Wollac Wollac Awaiting requested review from Wollac Wollac is a code owner

@zeroecco zeroecco Awaiting requested review from zeroecco zeroecco is a code owner

@austinabell austinabell Awaiting requested review from austinabell austinabell is a code owner

@willemolding willemolding Awaiting requested review from willemolding willemolding is a code owner

@ec2 ec2 Awaiting requested review from ec2 ec2 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rakanalh