Skip to content

fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518#396

Merged
julio4 merged 3 commits intoflashbots:mainfrom
okx:fix/cve-2025-62518-tokio-tar
Mar 2, 2026
Merged

fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518#396
julio4 merged 3 commits intoflashbots:mainfrom
okx:fix/cve-2025-62518-tokio-tar

Conversation

@Vui-Chee
Copy link
Contributor

@Vui-Chee Vui-Chee commented Feb 20, 2026

Summary

This PR updates the testcontainers dependency from v0.24.0 to v0.27.0 to remediate CVE-2025-62518 (GHSA-j5gw-2vrg-8fgx), a HIGH severity vulnerability in tokio-tar.

Vulnerability Details

  • CVE ID: CVE-2025-62518
  • GHSA ID: GHSA-j5gw-2vrg-8fgx
  • Severity: HIGH (CVSS 8.1)
  • Issue: PAX header desynchronization allowing tar archive entry smuggling
  • Affected: tokio-tar <= 0.3.1 (no patched version available)
  • Fixed in: astral-tokio-tar >= 0.5.6 (replacement package)
  • Impact Scope: Test framework only (ExternalNode test infrastructure)

Dependency Chain

Before:

op-rbuilder (0.3.1)
└── testcontainers (0.24.0)
    └── tokio-tar (0.3.1) ← VULNERABLE

After:

op-rbuilder (0.3.1)
└── testcontainers (0.27.0)
    └── astral-tokio-tar (0.5.6) ← FIXED

Changes Made

  1. Updated Dependencies:

    • testcontainers: 0.24.00.27.0
    • Updated Cargo.lock via cargo update -p testcontainers

  2. Fixed Breaking API Changes in bollard (used by testcontainers):

    • Updated imports: ConfigContainerCreateBody
    • Moved Options types to query_parameters module
    • Moved model types to separate models module
    • Removed generic type parameters from Options structs (e.g., StartContainerOptions<String>StartContainerOptions)
    • Changed boolean Option fields to plain bools in AttachContainerOptions
    • Updated CreateImageOptions fields to use Option<String>

  3. Files Modified:

    • crates/op-rbuilder/Cargo.toml: Updated testcontainers version
    • Cargo.lock: Updated dependency tree
    • crates/op-rbuilder/src/tests/framework/external.rs: Fixed API compatibility

Verification

Vulnerability Remediation:

  • cargo tree -i tokio-tar: Package no longer in dependency tree
  • cargo tree -p testcontainers: Confirms astral-tokio-tar v0.5.6 is used
  • cargo audit: No tokio-tar vulnerabilities found

Compilation Checks:

  • cargo build -p op-rbuilder --bin op-rbuilder: Success
  • cargo build -p op-rbuilder --bin tester --features testing: Success
  • cargo clippy --all-features: No warnings

Test Suite:

  • cargo test -p op-rbuilder --features testing: All 110 tests pass

References

@Vui-Chee
chore: update testcontainers to v0.27.0 to fix CVE-2025-62518
acd7bf2 
This commit updates the testcontainers dependency from v0.24.0 to v0.27.0,
which replaces the vulnerable tokio-tar (CVE-2025-62518) with the patched
astral-tokio-tar >= 0.5.6.

CVE-2025-62518 is a HIGH severity vulnerability (CVSS 8.1) in tokio-tar
that allows PAX header desynchronization and tar archive entry smuggling.

Changes:
- Updated testcontainers from 0.24.0 to 0.27.0 in Cargo.toml
- Updated Cargo.lock with cargo update -p testcontainers
- Fixed breaking API changes in bollard (used by testcontainers):
  - Updated imports: Config -> ContainerCreateBody, moved Options types
    to query_parameters module, moved models to separate module
  - Removed generic type parameters from Options structs
  - Changed boolean Option fields to plain bools in AttachContainerOptions
  - Updated CreateImageOptions fields to use Option<String>

Verification:
- cargo tree confirms tokio-tar is removed from dependency tree
- cargo tree confirms astral-tokio-tar v0.5.6 is now used
- cargo audit shows no tokio-tar vulnerabilities
- All compilation checks pass (op-rbuilder, tester, clippy)
- All 110 tests pass successfully

Fixes CVE-2025-62518 (GHSA-j5gw-2vrg-8fgx)
julio4
julio4 approved these changes Feb 20, 2026
View reviewed changes
Copy link
Member

@julio4 julio4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Vui-Chee
Copy link
Contributor Author

Vui-Chee commented Feb 23, 2026

@julio4 The nightly lint failed on an old crate shellexpand. But this crate is no longer maintained and seems not updated for a while. It is very likely that the CI linting checks will continue to fail.

@julio4
Copy link
Member

julio4 commented Feb 23, 2026

@julio4 The nightly lint failed on an old crate shellexpand. But this crate is no longer maintained and seems not updated for a while. It is very likely that the CI linting checks will continue to fail.

yes I noticed I'll fix it asap and merge this!

@julio4
Copy link
Member

julio4 commented Feb 24, 2026

@Vui-Chee Could you rebase on main? I don't have write permission to update on your branch myself

@Vui-Chee
Copy link
Contributor Author

Vui-Chee commented Feb 24, 2026

@julio4 ok!

@Vui-Chee
Merge remote-tracking branch 'upstream/main' into fix/cve-2025-62518-…
7a6684b 
…tokio-tar

* upstream/main:
  chore: rename bundle fields for consistency (no api change) (flashbots#402)
  Hotfix: pin nightly version to resolve str::as_str() regression (flashbots#401)
  update builder-playground usage for local devnet runs and testing (flashbots#395)
@Vui-Chee
Copy link
Contributor Author

Vui-Chee commented Feb 28, 2026

@julio4 Follow up?

Vui-Chee added a commit to okx/xlayer-reth that referenced this pull request Mar 2, 2026
@Vui-Chee
fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518
a1d5e20 
Update testcontainers from v0.24.0 to v0.27.0, which replaces the
vulnerable tokio-tar (CVE-2025-62518, CVSS 8.1) with the patched
astral-tokio-tar >= v0.5.6.

Changes:
- Updated testcontainers version in crates/builder/Cargo.toml
- Fixed breaking bollard API changes in external.rs:
  - Config -> ContainerCreateBody
  - Moved Options types to query_parameters module
  - Moved model types to models module
  - Removed generic type parameters from Options structs
  - Changed boolean Option fields to plain bools in AttachContainerOptions
  - Updated CreateImageOptions fields to use Option<String>
- Updated Cargo.lock

Ported from upstream: flashbots/op-rbuilder#396
@Vui-Chee Vui-Chee mentioned this pull request Mar 2, 2026
Merged
louisliu2048 pushed a commit to okx/xlayer-reth that referenced this pull request Mar 2, 2026
@Vui-Chee
fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518 (#164)
18bd449 
* fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518

Update testcontainers from v0.24.0 to v0.27.0, which replaces the
vulnerable tokio-tar (CVE-2025-62518, CVSS 8.1) with the patched
astral-tokio-tar >= v0.5.6.

Changes:
- Updated testcontainers version in crates/builder/Cargo.toml
- Fixed breaking bollard API changes in external.rs:
  - Config -> ContainerCreateBody
  - Moved Options types to query_parameters module
  - Moved model types to models module
  - Removed generic type parameters from Options structs
  - Changed boolean Option fields to plain bools in AttachContainerOptions
  - Updated CreateImageOptions fields to use Option<String>
- Updated Cargo.lock

Ported from upstream: flashbots/op-rbuilder#396

* fmt
@julio4 julio4 merged commit 11796e7 into flashbots:main Mar 2, 2026
4 of 5 checks passed
This was referenced Feb 26, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julio4 julio4 julio4 approved these changes

@SozinM SozinM Awaiting requested review from SozinM SozinM is a code owner

@avalonche avalonche Awaiting requested review from avalonche avalonche is a code owner

@karim-agha karim-agha Awaiting requested review from karim-agha karim-agha is a code owner

@0x416e746f6e 0x416e746f6e Awaiting requested review from 0x416e746f6e 0x416e746f6e is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vui-Chee @julio4