Skip to content

chore(deps): update rust crate tracing-subscriber to v0.3.20 [security]#1321

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-tracing-subscriber-vulnerability
Open

chore(deps): update rust crate tracing-subscriber to v0.3.20 [security]#1321
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-tracing-subscriber-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 13, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change OpenSSF
tracing-subscriber (source) workspace.dependencies patch =0.3.19=0.3.20 OpenSSF Scorecard

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-58160

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Severity
  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tracing logging user input may result in poisoning logs with ANSI escape sequences

CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055

More information

Details

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Logging user input may result in poisoning logs with ANSI escape sequences

CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055

More information

Details

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #​3368 to escape ANSI control characters from user input.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Release Notes

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Configuration

📅 Schedule: (in timezone Europe/London)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Apr 13, 2026
@renovate renovate bot requested a review from a team as a code owner April 13, 2026 19:39
@renovate renovate bot added the security label Apr 13, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Apr 13, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating git repository `https://github.com/midnightntwrk/midnight-ledger`
From https://github.com/midnightntwrk/midnight-ledger
 * [new ref]         a553d042c818566cf70be1b571105341cec864e9 -> refs/commit/a553d042c818566cf70be1b571105341cec864e9
    Updating git repository `https://github.com/midnightntwrk/rust-yamux`
From https://github.com/midnightntwrk/rust-yamux
 * [new ref]         8ed778c706ff6fd82228f3fde29b75896f48891b -> refs/commit/8ed778c706ff6fd82228f3fde29b75896f48891b
    Updating crates.io index
    Updating git repository `https://github.com/paritytech/polkadot-sdk.git`
From https://github.com/paritytech/polkadot-sdk
 * [new ref]               2e4dd0bc22366a5af820492528869a493b5a5208 -> refs/commit/2e4dd0bc22366a5af820492528869a493b5a5208
    Updating git repository `https://github.com/input-output-hk/partner-chains-smart-contracts.git`
From https://github.com/input-output-hk/partner-chains-smart-contracts
 * [new ref]           08bc5346d17d258ab84e4312e22339eaa1762c57 -> refs/commit/08bc5346d17d258ab84e4312e22339eaa1762c57
    Updating git repository `https://github.com/midnightntwrk/whisky`
From https://github.com/midnightntwrk/whisky
 * [new ref]         1d473db05e5af4b453549bca73561c01a3bb6d86 -> refs/commit/1d473db05e5af4b453549bca73561c01a3bb6d86
    Updating git repository `https://github.com/midnightntwrk/rs-merkle.git`
From https://github.com/midnightntwrk/rs-merkle
 * [new ref]         7c997a58410ae9a23e0513d5eed6cfb410633dc8 -> refs/commit/7c997a58410ae9a23e0513d5eed6cfb410633dc8
    Updating git repository `https://github.com/midnightntwrk/cquisitor-lib`
From https://github.com/midnightntwrk/cquisitor-lib
 * [new ref]         89b334ca5fd433ec3a65d4e9b3e26cecd89fd242 -> refs/commit/89b334ca5fd433ec3a65d4e9b3e26cecd89fd242
error: failed to select a version for `tracing-subscriber`.
    ... required by package `sp-tracing v19.0.0 (https://github.com/paritytech/polkadot-sdk.git?tag=polkadot-stable2603#2e4dd0bc)`
    ... which satisfies git dependency `sp-tracing` (locked to 19.0.0) of package `frame-support v46.0.0 (https://github.com/paritytech/polkadot-sdk.git?tag=polkadot-stable2603#2e4dd0bc)`
    ... which satisfies git dependency `frame-support` (locked to 46.0.0) of package `midnight-node v1.0.0 (/tmp/renovate/repos/github/midnightntwrk/midnight-node/node)`
versions that meet the requirements `=0.3.19` are: 0.3.19

all possible versions conflict with previously selected packages.

  previously selected package `tracing-subscriber v0.3.20`
    ... which satisfies dependency `tracing-subscriber = "=0.3.20"` of package `midnight-node-toolkit v1.0.0 (/tmp/renovate/repos/github/midnightntwrk/midnight-node/util/toolkit)`
    ... which satisfies path dependency `midnight-node-toolkit` (locked to 1.0.0) of package `midnight-node-e2e v0.1.0 (/tmp/renovate/repos/github/midnightntwrk/midnight-node/tests/e2e)`

failed to select a version for `tracing-subscriber` which could resolve this conflict

@renovate renovate bot force-pushed the renovate/crate-tracing-subscriber-vulnerability branch 7 times, most recently from f126f07 to 2739f30 Compare April 15, 2026 12:47
@renovate renovate bot force-pushed the renovate/crate-tracing-subscriber-vulnerability branch 5 times, most recently from caea112 to 840f626 Compare April 16, 2026 12:17
@renovate renovate bot force-pushed the renovate/crate-tracing-subscriber-vulnerability branch from 840f626 to ec114ea Compare April 16, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gilescope gilescope gilescope approved these changes

Assignees

No one assigned

Labels

renovate security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gilescope