Skip to content

chore(deps): update rust crate tracing-subscriber to v0.3.20 [security]#189

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-tracing-subscriber-vulnerability
Open

chore(deps): update rust crate tracing-subscriber to v0.3.20 [security]#189
renovate[bot] wants to merge 1 commit intomainfrom
renovate/crate-tracing-subscriber-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 29, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
tracing-subscriber (source) dependencies patch 0.3.190.3.20

GitHub Vulnerability Alerts

CVE-2025-58160

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Release Notes

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) August 29, 2025 20:56
@coderabbitai
Copy link

coderabbitai bot commented Aug 29, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 29, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

ellipsis-dev[bot]
ellipsis-dev bot reviewed Aug 29, 2025
View reviewed changes
Copy link

@ellipsis-dev ellipsis-dev bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

Looks good to me! 👍

Reviewed everything up to 2859ac5 in 41 seconds. Click for details.
  • Reviewed 16 lines of code in 1 files
  • Skipped 0 files when reviewing.
  • Skipped posting 1 draft comments. View those below.
  • Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. Cargo.lock:1093
  • Draft comment:
    The version bump for tracing-subscriber to 0.3.20 (with updated checksum) appears correct and addresses the security fix. Please ensure that the corresponding dependency in Cargo.toml is also updated if applicable.
  • Reason this comment was not posted:
    Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is primarily informative, mentioning the version bump and checksum update. It also asks the author to ensure that the dependency in Cargo.toml is updated, which violates the rule against asking the author to ensure things. Therefore, this comment should be removed.

Workflow ID: wflow_4SQbZYALvggTgOTL

You can customize Ellipsis by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.

@codecov
Copy link

codecov bot commented Aug 29, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.10%. Comparing base (9480a90) to head (2859ac5).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #189   +/-   ##
=======================================
  Coverage   95.10%   95.10%           
=======================================
  Files          12       12           
  Lines        2818     2818           
=======================================
  Hits         2680     2680           
  Misses        138      138

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@codspeed-hq
Copy link

codspeed-hq bot commented Aug 29, 2025

CodSpeed Performance Report

Merging #189 will not alter performance

Comparing renovate/crate-tracing-subscriber-vulnerability (2859ac5) with main (9480a90)

Summary

✅ 3 untouched benchmarks

@renovate renovate bot changed the title fix(deps): update rust crate tracing-subscriber to v0.3.20 [security] chore(deps): update rust crate tracing-subscriber to v0.3.20 [security] Sep 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellipsis-dev ellipsis-dev[bot] ellipsis-dev[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants