Skip to content

fix(deps): update rust crate tracing-subscriber to 0.3.20 [security] #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2025
Merged

fix(deps): update rust crate tracing-subscriber to 0.3.20 [security] #134

merged 1 commit into from
Nov 3, 2025

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Oct 23, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
tracing-subscriber (source) dependencies patch 0.3.17 -> 0.3.20

Tracing logging user input may result in poisoning logs with ANSI escape sequences

CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055

More information

Details

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Logging user input may result in poisoning logs with ANSI escape sequences

CVE-2025-58160 / GHSA-xwfj-jgwm-7wp5 / RUSTSEC-2025-0055

More information

Details

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #​3368 to escape ANSI control characters from user input.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Release Notes

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

v0.3.19: tracing-subscriber 0.3.19

Compare Source

[ crates.io ] | [ docs.rs ]

This release updates the tracing dependency to v0.1.41 and
the tracing-serde dependency to v0.2.0.

Added
  • Add set_span_events to fmt::Subscriber (#​2962)
  • tracing: Allow &[u8] to be recorded as event/span field (#​2954)
Changed
  • Set log max level when reloading (#​1270)
  • Bump MSRV to 1.63 (#​2793)
  • Use const thread_locals when possible (#​2838)
  • Don't gate with_ansi() on the "ansi" feature (#​3020)
  • Updated tracing-serde to 0.2.0 (#​3160)

v0.3.18: tracing-subscriber 0.3.18

Compare Source

This release of tracing-subscriber adds support for the NO_COLOR environment
variable (an informal standard to disable emitting ANSI color escape codes) in
fmt::Layer, reintroduces support for the chrono crate, and increases the
minimum supported Rust version (MSRV) to Rust 1.63.0.

It also introduces several minor API improvements.

Added
  • chrono: Add chrono implementations of FormatTime (#​2690)
  • subscriber: Add support for the NO_COLOR environment variable in
    fmt::Layer (#​2647)
  • fmt: make format::Writer::new() public (#​2680)
  • filter: Implement layer::Filter for Option<Filter> (#​2407)
Changed
  • log: bump version of tracing-log to 0.2 (#​2772)
  • Increased minimum supported Rust version (MSRV) to 1.63.0+.

Thanks to @​shayne-fletcher, @​dmlary, @​kaifastromai, and @​jsgf for contributing!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
fix(deps): update rust crate tracing-subscriber to 0.3.20 [security]
1522096 
| datasource | package            | from   | to     |
| ---------- | ------------------ | ------ | ------ |
| crate      | tracing-subscriber | 0.3.17 | 0.3.20 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot requested a review from sd2k as a code owner October 23, 2025 12:32
@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) October 23, 2025 12:32
@renovate-sh-app renovate-sh-app bot merged commit c2bb7e6 into main Nov 3, 2025
13 of 14 checks passed
@renovate-sh-app renovate-sh-app bot deleted the renovate/crate-tracing-subscriber-vulnerability branch November 3, 2025 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sd2k sd2k sd2k approved these changes

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sd2k