Skip to content

chore(deps): update rust crate tracing-subscriber to v0.3.20 [security] #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update rust crate tracing-subscriber to v0.3.20 [security] #156

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 31, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
tracing-subscriber (source) dependencies patch 0.3.190.3.20

GitHub Vulnerability Alerts

CVE-2025-58160

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Release Notes

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 31, 2025 09:54
@codecov
Copy link

codecov bot commented Aug 31, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.80%. Comparing base (8709c49) to head (ac625b5).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #156   +/-   ##
=======================================
  Coverage   89.80%   89.80%           
=======================================
  Files          10       10           
  Lines        1628     1628           
=======================================
  Hits         1462     1462           
  Misses        166      166

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8709c49...ac625b5. Read the comment docs.

@renovate renovate bot changed the title fix(deps): update rust crate tracing-subscriber to v0.3.20 [security] chore(deps): update rust crate tracing-subscriber to v0.3.20 [security] Sep 25, 2025
@renovate renovate bot force-pushed the renovate/crate-tracing-subscriber-vulnerability branch 2 times, most recently from 34894c7 to 35c1d4d Compare December 16, 2025 08:31
@renovate renovate bot force-pushed the renovate/crate-tracing-subscriber-vulnerability branch from 35c1d4d to ac625b5 Compare December 17, 2025 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant