chore(deps): update rust crate tracing-subscriber to 0.3.20 [security] #12
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/crate-tracing-subscriber-vulnerability"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
0.3.16→0.3.200.3.17→0.3.200.3.16→0.3.20Tracing logging user input may result in poisoning logs with ANSI escape sequences
CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055
More information
Details
Impact
Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
Patches
tracing-subscriberversion 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.Workarounds
Avoid printing logs to terminal emulators without escaping ANSI control sequences.
References
https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/
Acknowledgments
We would like to thank zefr0x who responsibly reported the issue at
security@tokio.rs.If you believe you have found a security vulnerability in any tokio-rs project, please email us at
security@tokio.rs.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Logging user input may result in poisoning logs with ANSI escape sequences
CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055
More information
Details
Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in PR #3368 to escape ANSI control characters from user input.
Severity
Unknown
References
This data is provided by OSV and the Rust Advisory Database (CC0 1.0).
Release Notes
tokio-rs/tracing (tracing-subscriber)
v0.3.20: tracing-subscriber 0.3.20Compare Source
Security Fix: ANSI Escape Sequence Injection (CVE-TBD)
Impact
Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
Solution
Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.
Affected Versions
All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.
Recommendations
Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:
Migration
This is a patch release with no breaking API changes. Simply update your Cargo.toml:
Acknowledgments
We would like to thank zefr0x who responsibly reported the issue at
security@tokio.rs.If you believe you have found a security vulnerability in any tokio-rs project, please email us at
security@tokio.rs.v0.3.19: tracing-subscriber 0.3.19Compare Source
[ crates.io ] | [ docs.rs ]
This release updates the
tracingdependency to v0.1.41 andthe
tracing-serdedependency to v0.2.0.Added
set_span_eventstofmt::Subscriber(#2962)&[u8]to be recorded as event/span field (#2954)Changed
logmax level when reloading (#1270)thread_locals when possible (#2838)with_ansi()on the "ansi" feature (#3020)v0.3.18: tracing-subscriber 0.3.18Compare Source
This release of
tracing-subscriberadds support for theNO_COLORenvironmentvariable (an informal standard to disable emitting ANSI color escape codes) in
fmt::Layer, reintroduces support for thechronocrate, and increases theminimum supported Rust version (MSRV) to Rust 1.63.0.
It also introduces several minor API improvements.
Added
chronoimplementations ofFormatTime(#2690)NO_COLORenvironment variable infmt::Layer(#2647)format::Writer::new()public (#2680)layer::FilterforOption<Filter>(#2407)Changed
tracing-logto 0.2 (#2772)Thanks to @shayne-fletcher, @dmlary, @kaifastromai, and @jsgf for contributing!
v0.3.17: tracing-subscriber 0.3.17Compare Source
This release of
tracing-subscriberfixes a build error when usingenv-filterwith recent versions of the
regexcrate. It also introduces several minor APIimprovements.
Fixed
regexdependency, fixing a build error with recent versions of
regex(#2566)#2368, #2548)
Added
fmt::Displayimpl forfilter::Targets(#2343)with_ansi(false)no longer require the "ansi" feature, so thatANSI formatting escapes can be disabled without requiring ANSI-specific
dependencies (#2532)
Changed
Compactformatter, matching the defaultformatter (#2409)
Thanks to @keepsimple1, @andrewhalle, @LeoniePhiline, @LukeMathWalker,
@howardjohn, @daxpedda, and @dbidwell94 for contributing to this release!
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.