CVE-2025-58160 — heartwood

rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5

Radicle Heartwood Protocol & Stack

CVE-2025-58160

Merged fintohaps opened 2 months ago

This vulnerability was introduced via the test-log crate.

Updating to 0.2.19 in turn updates tracing-subscriber to 0.3.22 which is in the acceptable upgrade range.

2 files changed +27 -49 03bbe524 → 2d0db3c6

modified Cargo.lock

@@ -345,7 +345,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"

 checksum = "234113d19d0d7d613b40e86fb654acf958910802bcceab913a4f9e7cda03b1a4"
 dependencies = [
  "memchr",
  "regex-automata 0.4.9",
  "regex-automata",
  "serde",
 ]

@@ -974,8 +974,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"

 checksum = "6e24cb5a94bcae1e5408b0effca5cd7172ea3c5755049c5f3af4cd283a165298"
 dependencies = [
  "bit-set",
  "regex-automata 0.4.9",
  "regex-syntax 0.8.5",
  "regex-automata",
  "regex-syntax",
 ]
 [[package]]

@@ -2075,7 +2075,7 @@ dependencies = [

  "percent-encoding",
  "referencing",
  "regex",
  "regex-syntax 0.8.5",
  "regex-syntax",
  "serde",
  "serde_json",
  "uuid-simd",

@@ -2195,11 +2195,11 @@ dependencies = [

 [[package]]
 name = "matchers"
 version = "0.1.0"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558"
 checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
 dependencies = [
  "regex-automata 0.1.10",
  "regex-automata",
 ]
 [[package]]

@@ -2318,12 +2318,11 @@ checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"

 [[package]]
 name = "nu-ansi-term"
 version = "0.46.0"
 version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
  "overload",
  "winapi",
  "windows-sys 0.59.0",
 ]
 [[package]]

@@ -2469,12 +2468,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"

 checksum = "1a80800c0488c3a21695ea981a54918fbb37abf04f4d0720c453632255e2ff0e"
 [[package]]
 name = "overload"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
 [[package]]
 name = "p256"
 version = "0.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"

@@ -2752,7 +2745,7 @@ dependencies = [

  "rand 0.9.2",
  "rand_chacha 0.9.0",
  "rand_xorshift",
  "regex-syntax 0.8.5",
  "regex-syntax",
  "rusty-fork",
  "tempfile",
  "unarray",

@@ -3354,17 +3347,8 @@ checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"

 dependencies = [
  "aho-corasick",
  "memchr",
  "regex-automata 0.4.9",
  "regex-syntax 0.8.5",
 ]
 [[package]]
 name = "regex-automata"
 version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
 dependencies = [
  "regex-syntax 0.6.29",
  "regex-automata",
  "regex-syntax",
 ]
 [[package]]

@@ -3375,17 +3359,11 @@ checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"

 dependencies = [
  "aho-corasick",
  "memchr",
  "regex-syntax 0.8.5",
  "regex-syntax",
 ]
 [[package]]
 name = "regex-syntax"
 version = "0.6.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
 [[package]]
 name = "regex-syntax"
 version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"

@@ -4115,9 +4093,9 @@ dependencies = [

 [[package]]
 name = "test-log"
 version = "0.2.18"
 version = "0.2.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e33b98a582ea0be1168eba097538ee8dd4bbe0f2b01b22ac92ea30054e5be7b"
 checksum = "37d53ac171c92a39e4769491c4b4dde7022c60042254b5fc044ae409d34a24d4"
 dependencies = [
  "env_logger",
  "test-log-macros",

@@ -4126,9 +4104,9 @@ dependencies = [

 [[package]]
 name = "test-log-macros"
 version = "0.2.18"
 version = "0.2.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "451b374529930d7601b1eef8d32bc79ae870b6079b069401709c2a8bf9e75f36"
 checksum = "be35209fd0781c5401458ab66e4f98accf63553e8fae7425503e92fdd319783b"
 dependencies = [
  "proc-macro2",
  "quote",

@@ -4291,9 +4269,9 @@ checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64"

 [[package]]
 name = "tracing"
 version = "0.1.41"
 version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
 checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 dependencies = [
  "pin-project-lite",
  "tracing-core",

@@ -4301,9 +4279,9 @@ dependencies = [

 [[package]]
 name = "tracing-core"
 version = "0.1.34"
 version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678"
 checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
 dependencies = [
  "once_cell",
  "valuable",

@@ -4322,14 +4300,14 @@ dependencies = [

 [[package]]
 name = "tracing-subscriber"
 version = "0.3.19"
 version = "0.3.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008"
 checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
 dependencies = [
  "matchers",
  "nu-ansi-term",
  "once_cell",
  "regex",
  "regex-automata",
  "sharded-slab",
  "thread_local",
  "tracing",

@@ -4345,7 +4323,7 @@ checksum = "b67baf55e7e1b6806063b1e51041069c90afff16afcbbccd278d899f9d84bca4"

 dependencies = [
  "cc",
  "regex",
  "regex-syntax 0.8.5",
  "regex-syntax",
  "streaming-iterator",
  "tree-sitter-language",
 ]

modified crates/radicle-node/Cargo.toml

@@ -58,4 +58,4 @@ radicle = { workspace = true, features = ["test"] }

 radicle-protocol = { workspace = true, features = ["test"] }
 radicle-crypto = { workspace = true, features = ["test", "cyphernet"] }
 snapbox = { workspace = true }
 test-log = "0.2.18"
 test-log = "0.2.19"