chore(deps): update rust crate tracing-subscriber to 0.3.20 [security] #12

Open
renovate wants to merge 1 commit from renovate/crate-tracing-subscriber-vulnerability into main
Member

This PR contains the following updates:

Package Type Update Change
tracing-subscriber (source) dev-dependencies patch 0.3.160.3.20
tracing-subscriber (source) dev-dependencies patch 0.3.170.3.20
tracing-subscriber (source) dependencies patch 0.3.160.3.20

Tracing logging user input may result in poisoning logs with ANSI escape sequences

CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055

More information

Details

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Logging user input may result in poisoning logs with ANSI escape sequences

CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055

More information

Details

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #​3368 to escape ANSI control characters from user input.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Release Notes

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users
Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"
Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

v0.3.19: tracing-subscriber 0.3.19

Compare Source

[ crates.io ] | [ docs.rs ]

This release updates the tracing dependency to v0.1.41 and
the tracing-serde dependency to v0.2.0.

Added
  • Add set_span_events to fmt::Subscriber (#​2962)
  • tracing: Allow &[u8] to be recorded as event/span field (#​2954)
Changed
  • Set log max level when reloading (#​1270)
  • Bump MSRV to 1.63 (#​2793)
  • Use const thread_locals when possible (#​2838)
  • Don't gate with_ansi() on the "ansi" feature (#​3020)
  • Updated tracing-serde to 0.2.0 (#​3160)

v0.3.18: tracing-subscriber 0.3.18

Compare Source

This release of tracing-subscriber adds support for the NO_COLOR environment
variable (an informal standard to disable emitting ANSI color escape codes) in
fmt::Layer, reintroduces support for the chrono crate, and increases the
minimum supported Rust version (MSRV) to Rust 1.63.0.

It also introduces several minor API improvements.

Added
  • chrono: Add chrono implementations of FormatTime (#​2690)
  • subscriber: Add support for the NO_COLOR environment variable in
    fmt::Layer (#​2647)
  • fmt: make format::Writer::new() public (#​2680)
  • filter: Implement layer::Filter for Option<Filter> (#​2407)
Changed
  • log: bump version of tracing-log to 0.2 (#​2772)
  • Increased minimum supported Rust version (MSRV) to 1.63.0+.

Thanks to @​shayne-fletcher, @​dmlary, @​kaifastromai, and @​jsgf for contributing!

v0.3.17: tracing-subscriber 0.3.17

Compare Source

This release of tracing-subscriber fixes a build error when using env-filter
with recent versions of the regex crate. It also introduces several minor API
improvements.

Fixed
  • env-filter: Add "unicode-case" and "unicode-perl" to the regex
    dependency, fixing a build error with recent versions of regex (#​2566)
  • A number of minor documentation typos and other fixes (#​2384, #​2378,
    #​2368, #​2548)
Added
  • filter: Add fmt::Display impl for filter::Targets (#​2343)
  • fmt: Made with_ansi(false) no longer require the "ansi" feature, so that
    ANSI formatting escapes can be disabled without requiring ANSI-specific
    dependencies (#​2532)
Changed
  • fmt: Dim targets in the Compact formatter, matching the default
    formatter (#​2409)

Thanks to @​keepsimple1, @​andrewhalle, @​LeoniePhiline, @​LukeMathWalker,
@​howardjohn, @​daxpedda, and @​dbidwell94 for contributing to this release!


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [tracing-subscriber](https://tokio.rs) ([source](https://github.com/tokio-rs/tracing)) | dev-dependencies | patch | `0.3.16` → `0.3.20` | | [tracing-subscriber](https://tokio.rs) ([source](https://github.com/tokio-rs/tracing)) | dev-dependencies | patch | `0.3.17` → `0.3.20` | | [tracing-subscriber](https://tokio.rs) ([source](https://github.com/tokio-rs/tracing)) | dependencies | patch | `0.3.16` → `0.3.20` | --- ### Tracing logging user input may result in poisoning logs with ANSI escape sequences [CVE-2025-58160](https://nvd.nist.gov/vuln/detail/CVE-2025-58160) / [GHSA-xwfj-jgwm-7wp5](https://github.com/advisories/GHSA-xwfj-jgwm-7wp5) / [RUSTSEC-2025-0055](https://rustsec.org/advisories/RUSTSEC-2025-0055.html) <details> <summary>More information</summary> #### Details ##### Impact Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. ##### Patches `tracing-subscriber` version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal. ##### Workarounds Avoid printing logs to terminal emulators without escaping ANSI control sequences. ##### References https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/ ##### Acknowledgments We would like to thank [zefr0x](http://github.com/zefr0x) who responsibly reported the issue at `security@tokio.rs`. If you believe you have found a security vulnerability in any tokio-rs project, please email us at `security@tokio.rs`. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/tokio-rs/tracing/security/advisories/GHSA-xwfj-jgwm-7wp5](https://github.com/tokio-rs/tracing/security/advisories/GHSA-xwfj-jgwm-7wp5) - [https://nvd.nist.gov/vuln/detail/CVE-2025-58160](https://nvd.nist.gov/vuln/detail/CVE-2025-58160) - [https://github.com/tokio-rs/tracing](https://github.com/tokio-rs/tracing) - [https://rustsec.org/advisories/RUSTSEC-2025-0055.html](https://rustsec.org/advisories/RUSTSEC-2025-0055.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xwfj-jgwm-7wp5) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Logging user input may result in poisoning logs with ANSI escape sequences [CVE-2025-58160](https://nvd.nist.gov/vuln/detail/CVE-2025-58160) / [GHSA-xwfj-jgwm-7wp5](https://github.com/advisories/GHSA-xwfj-jgwm-7wp5) / [RUSTSEC-2025-0055](https://rustsec.org/advisories/RUSTSEC-2025-0055.html) <details> <summary>More information</summary> #### Details Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. This was patched in [PR #&#8203;3368](https://github.com/tokio-rs/tracing/pull/3368) to escape ANSI control characters from user input. #### Severity Unknown #### References - [https://crates.io/crates/tracing-subscriber](https://crates.io/crates/tracing-subscriber) - [https://rustsec.org/advisories/RUSTSEC-2025-0055.html](https://rustsec.org/advisories/RUSTSEC-2025-0055.html) - [https://github.com/advisories/GHSA-xwfj-jgwm-7wp5](https://github.com/advisories/GHSA-xwfj-jgwm-7wp5) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2025-0055) and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt)). </details> --- ### Release Notes <details> <summary>tokio-rs/tracing (tracing-subscriber)</summary> ### [`v0.3.20`](https://github.com/tokio-rs/tracing/releases/tag/tracing-subscriber-0.3.20): tracing-subscriber 0.3.20 [Compare Source](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.19...tracing-subscriber-0.3.20) **Security Fix**: ANSI Escape Sequence Injection (CVE-TBD) ##### Impact Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to: - Manipulate terminal title bars - Clear screens or modify terminal display - Potentially mislead users through terminal manipulation In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator. ##### Solution Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal. ##### Affected Versions All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability. ##### Recommendations Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application: - Logs user-provided input (form data, HTTP headers, query parameters, etc.) - Runs in environments where terminal output is displayed to users ##### Migration This is a patch release with no breaking API changes. Simply update your Cargo.toml: ```toml [dependencies] tracing-subscriber = "0.3.20" ``` ##### Acknowledgments We would like to thank [zefr0x](http://github.com/zefr0x) who responsibly reported the issue at `security@tokio.rs`. If you believe you have found a security vulnerability in any tokio-rs project, please email us at `security@tokio.rs`. ### [`v0.3.19`](https://github.com/tokio-rs/tracing/releases/tag/tracing-subscriber-0.3.19): tracing-subscriber 0.3.19 [Compare Source](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.18...tracing-subscriber-0.3.19) \[ [crates.io][crate-0.3.19] ] | \[ [docs.rs][docs-0.3.19] ] This release updates the `tracing` dependency to [v0.1.41][tracing-0.1.41] and the `tracing-serde` dependency to [v0.2.0][tracing-serde-0.2.0]. ##### Added - Add `set_span_events` to `fmt::Subscriber` ([#&#8203;2962]) - **tracing**: Allow `&[u8]` to be recorded as event/span field ([#&#8203;2954]) ##### Changed - Set `log` max level when reloading ([#&#8203;1270]) - Bump MSRV to 1.63 ([#&#8203;2793]) - Use const `thread_local`s when possible ([#&#8203;2838]) - Don't gate `with_ansi()` on the "ansi" feature ([#&#8203;3020]) - Updated tracing-serde to 0.2.0 ([#&#8203;3160]) [#&#8203;1270]: https://github.com/tokio-rs/tracing/pull/1270 [#&#8203;2793]: https://github.com/tokio-rs/tracing/pull/2793 [#&#8203;2838]: https://github.com/tokio-rs/tracing/pull/2838 [#&#8203;2954]: https://github.com/tokio-rs/tracing/pull/2954 [#&#8203;2962]: https://github.com/tokio-rs/tracing/pull/2962 [#&#8203;3020]: https://github.com/tokio-rs/tracing/pull/3020 [#&#8203;3160]: https://github.com/tokio-rs/tracing/pull/3160 [tracing-0.1.41]: https://github.com/tokio-rs/tracing/releases/tag/tracing-0.1.41 [tracing-serde-0.2.0]: https://github.com/tokio-rs/tracing/releases/tag/tracing-serde-0.2.0 [docs-0.3.19]: https://docs.rs/tracing-subscriber/0.3.19/tracing_subscriber/ [crate-0.3.19]: https://crates.io/crates/tracing-subscriber/0.3.19 ### [`v0.3.18`](https://github.com/tokio-rs/tracing/releases/tag/tracing-subscriber-0.3.18): tracing-subscriber 0.3.18 [Compare Source](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.17...tracing-subscriber-0.3.18) This release of `tracing-subscriber` adds support for the [`NO_COLOR`] environment variable (an informal standard to disable emitting ANSI color escape codes) in `fmt::Layer`, reintroduces support for the [`chrono`] crate, and increases the minimum supported Rust version (MSRV) to Rust 1.63.0. It also introduces several minor API improvements. ##### Added - **chrono**: Add [`chrono`] implementations of `FormatTime` ([#&#8203;2690]) - **subscriber**: Add support for the [`NO_COLOR`] environment variable in `fmt::Layer` ([#&#8203;2647]) - **fmt**: make `format::Writer::new()` public ([#&#8203;2680]) - **filter**: Implement `layer::Filter` for `Option<Filter>` ([#&#8203;2407]) ##### Changed - **log**: bump version of `tracing-log` to 0.2 ([#&#8203;2772]) - Increased minimum supported Rust version (MSRV) to 1.63.0+. [`chrono`]: https://github.com/chronotope/chrono [`NO_COLOR`]: https://no-color.org/ [#&#8203;2690]: https://github.com/tokio-rs/tracing/pull/2690 [#&#8203;2647]: https://github.com/tokio-rs/tracing/pull/2647 [#&#8203;2680]: https://github.com/tokio-rs/tracing/pull/2680 [#&#8203;2407]: https://github.com/tokio-rs/tracing/pull/2407 [#&#8203;2772]: https://github.com/tokio-rs/tracing/pull/2772 Thanks to [@&#8203;shayne-fletcher](https://github.com/shayne-fletcher), [@&#8203;dmlary](https://github.com/dmlary), [@&#8203;kaifastromai](https://github.com/kaifastromai), and [@&#8203;jsgf](https://github.com/jsgf) for contributing! ### [`v0.3.17`](https://github.com/tokio-rs/tracing/releases/tag/tracing-subscriber-0.3.17): tracing-subscriber 0.3.17 [Compare Source](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.16...tracing-subscriber-0.3.17) This release of `tracing-subscriber` fixes a build error when using `env-filter` with recent versions of the `regex` crate. It also introduces several minor API improvements. ##### Fixed - **env-filter**: Add "unicode-case" and "unicode-perl" to the `regex` dependency, fixing a build error with recent versions of `regex` ([#&#8203;2566]) - A number of minor documentation typos and other fixes ([#&#8203;2384], [#&#8203;2378], [#&#8203;2368], [#&#8203;2548]) ##### Added - **filter**: Add `fmt::Display` impl for `filter::Targets` ([#&#8203;2343]) - **fmt**: Made `with_ansi(false)` no longer require the "ansi" feature, so that ANSI formatting escapes can be disabled without requiring ANSI-specific dependencies ([#&#8203;2532]) ##### Changed - **fmt**: Dim targets in the `Compact` formatter, matching the default formatter ([#&#8203;2409]) Thanks to [@&#8203;keepsimple1](https://github.com/keepsimple1), [@&#8203;andrewhalle](https://github.com/andrewhalle), [@&#8203;LeoniePhiline](https://github.com/LeoniePhiline), [@&#8203;LukeMathWalker](https://github.com/LukeMathWalker), [@&#8203;howardjohn](https://github.com/howardjohn), [@&#8203;daxpedda](https://github.com/daxpedda), and [@&#8203;dbidwell94](https://github.com/dbidwell94) for contributing to this release! [#&#8203;2566]: https://github.com/tokio-rs/tracing/pull/2566 [#&#8203;2384]: https://github.com/tokio-rs/tracing/pull/2384 [#&#8203;2378]: https://github.com/tokio-rs/tracing/pull/2378 [#&#8203;2368]: https://github.com/tokio-rs/tracing/pull/2368 [#&#8203;2548]: https://github.com/tokio-rs/tracing/pull/2548 [#&#8203;2343]: https://github.com/tokio-rs/tracing/pull/2343 [#&#8203;2532]: https://github.com/tokio-rs/tracing/pull/2532 [#&#8203;2409]: https://github.com/tokio-rs/tracing/pull/2409 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI1My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
renovate added 1 commit 2026-06-28 23:24:58 -07:00
chore(deps): update rust crate tracing-subscriber to 0.3.20 [security]
Some checks failed
Validate / Check-1 (push) Failing after 1s
Validate / Test Suite-1 (push) Failing after 1s
Validate / Lints (push) Failing after 1s
Validate / Check (push) Has been cancelled
Validate / Check-2 (push) Has been cancelled
Validate / Test Suite (push) Has been cancelled
Validate / Test Suite-2 (push) Has been cancelled
087db20a21
renovate scheduled this pull request to auto merge when all checks succeed 2026-06-28 23:24:59 -07:00
Some checks failed
Validate / Check-1 (push) Failing after 1s
Validate / Test Suite-1 (push) Failing after 1s
Validate / Lints (push) Failing after 1s
Validate / Check (push) Has been cancelled
Validate / Check-2 (push) Has been cancelled
Validate / Test Suite (push) Has been cancelled
Validate / Test Suite-2 (push) Has been cancelled
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/crate-tracing-subscriber-vulnerability:renovate/crate-tracing-subscriber-vulnerability
git checkout renovate/crate-tracing-subscriber-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main
git merge --no-ff renovate/crate-tracing-subscriber-vulnerability
git checkout renovate/crate-tracing-subscriber-vulnerability
git rebase main
git checkout main
git merge --ff-only renovate/crate-tracing-subscriber-vulnerability
git checkout renovate/crate-tracing-subscriber-vulnerability
git rebase main
git checkout main
git merge --no-ff renovate/crate-tracing-subscriber-vulnerability
git checkout main
git merge --squash renovate/crate-tracing-subscriber-vulnerability
git checkout main
git merge --ff-only renovate/crate-tracing-subscriber-vulnerability
git checkout main
git merge renovate/crate-tracing-subscriber-vulnerability
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Sulkta-OSS/pallas#12
No description provided.