Skip to content

Fix cargo-audit vulnerabilities and warnings #185

Description

@heueristik

Result from running https://crates.io/crates/cargo-audit on:

 ➜  arm-risc0 git:(c138fc0) cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 897 security advisories (from /Users/michaelheuer/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (565 crate dependencies)
Crate:     rsa
Version:   0.9.8
Title:     Marvin Attack: potential key recovery through timing sidechannels
Date:      2023-11-22
ID:        RUSTSEC-2023-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity:  5.9 (medium)
Solution:  No fixed upgrade is available!
Dependency tree:
rsa 0.9.8
└── rzup 0.5.1
    ├── risc0-zkvm 3.0.3
    │   └── arm 1.0.0
    │       ├── arm-test-witness 1.0.0
    │       │   └── arm-test-app 1.0.0
    │       ├── arm-test-app 1.0.0
    │       └── arm-gadgets 1.0.0
    │           └── arm-test-witness 1.0.0
    ├── risc0-groth16 3.0.2
    │   └── risc0-zkvm 3.0.3
    └── risc0-build 3.0.3
        └── risc0-zkvm 3.0.3

Crate:     ruint
Version:   1.17.0
Title:     Unsoundness of safe `reciprocal_mg10`
Date:      2025-12-22
ID:        RUSTSEC-2025-0137
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0137
Solution:  Upgrade to >=1.17.1
Dependency tree:
ruint 1.17.0
├── risc0-binfmt 3.0.2
│   ├── risc0-zkvm 3.0.3
│   │   └── arm 1.0.0
│   │       ├── arm-test-witness 1.0.0
│   │       │   └── arm-test-app 1.0.0
│   │       ├── arm-test-app 1.0.0
│   │       └── arm-gadgets 1.0.0
│   │           └── arm-test-witness 1.0.0
│   ├── risc0-groth16 3.0.2
│   │   └── risc0-zkvm 3.0.3
│   ├── risc0-circuit-rv32im 4.0.2
│   │   └── risc0-zkvm 3.0.3
│   ├── risc0-circuit-keccak 4.0.2
│   │   └── risc0-zkvm 3.0.3
│   └── risc0-build 3.0.3
│       └── risc0-zkvm 3.0.3
├── circom-witnesscalc 0.2.1
│   └── risc0-groth16 3.0.2
└── alloy-primitives 1.4.1
    ├── arm-gadgets 1.0.0
    ├── alloy-sol-types 1.4.1
    │   └── arm-gadgets 1.0.0
    └── alloy-json-abi 1.4.1
        └── alloy-sol-types 1.4.1

Crate:     tracing-subscriber
Version:   0.2.25
Title:     Logging user input may result in poisoning logs with ANSI escape sequences
Date:      2025-08-29
ID:        RUSTSEC-2025-0055
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0055
Solution:  Upgrade to >=0.3.20
Dependency tree:
tracing-subscriber 0.2.25
└── ark-relations 0.5.1
    ├── ark-snark 0.5.1
    │   └── ark-crypto-primitives 0.5.0
    │       └── ark-groth16 0.5.0
    │           └── risc0-groth16 3.0.2
    │               └── risc0-zkvm 3.0.3
    │                   └── arm 1.0.0
    │                       ├── arm-test-witness 1.0.0
    │                       │   └── arm-test-app 1.0.0
    │                       ├── arm-test-app 1.0.0
    │                       └── arm-gadgets 1.0.0
    │                           └── arm-test-witness 1.0.0
    ├── ark-r1cs-std 0.5.0
    │   └── ark-bn254 0.5.0
    │       ├── risc0-groth16 3.0.2
    │       └── circom-witnesscalc 0.2.1
    │           └── risc0-groth16 3.0.2
    ├── ark-groth16 0.5.0
    └── ark-crypto-primitives 0.5.0

Crate:     atomic-polyfill
Version:   1.0.3
Warning:   unmaintained
Title:     atomic-polyfill is unmaintained
Date:      2023-07-11
ID:        RUSTSEC-2023-0089
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0089
Dependency tree:
atomic-polyfill 1.0.3
└── heapless 0.7.17
    └── postcard 1.1.3
        ├── risc0-circuit-rv32im 4.0.2
        │   └── risc0-zkvm 3.0.3
        │       └── arm 1.0.0
        │           ├── arm-test-witness 1.0.0
        │           │   └── arm-test-app 1.0.0
        │           ├── arm-test-app 1.0.0
        │           └── arm-gadgets 1.0.0
        │               └── arm-test-witness 1.0.0
        └── risc0-binfmt 3.0.2
            ├── risc0-zkvm 3.0.3
            ├── risc0-groth16 3.0.2
            │   └── risc0-zkvm 3.0.3
            ├── risc0-circuit-rv32im 4.0.2
            ├── risc0-circuit-keccak 4.0.2
            │   └── risc0-zkvm 3.0.3
            └── risc0-build 3.0.3
                └── risc0-zkvm 3.0.3

Crate:     derivative
Version:   2.2.0
Warning:   unmaintained
Title:     `derivative` is unmaintained; consider using an alternative
Date:      2024-06-26
ID:        RUSTSEC-2024-0388
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0388
Dependency tree:
derivative 2.2.0
├── ark-ff 0.4.2
│   └── ruint 1.17.0
│       ├── risc0-binfmt 3.0.2
│       │   ├── risc0-zkvm 3.0.3
│       │   │   └── arm 1.0.0
│       │   │       ├── arm-test-witness 1.0.0
│       │   │       │   └── arm-test-app 1.0.0
│       │   │       ├── arm-test-app 1.0.0
│       │   │       └── arm-gadgets 1.0.0
│       │   │           └── arm-test-witness 1.0.0
│       │   ├── risc0-groth16 3.0.2
│       │   │   └── risc0-zkvm 3.0.3
│       │   ├── risc0-circuit-rv32im 4.0.2
│       │   │   └── risc0-zkvm 3.0.3
│       │   ├── risc0-circuit-keccak 4.0.2
│       │   │   └── risc0-zkvm 3.0.3
│       │   └── risc0-build 3.0.3
│       │       └── risc0-zkvm 3.0.3
│       ├── circom-witnesscalc 0.2.1
│       │   └── risc0-groth16 3.0.2
│       └── alloy-primitives 1.4.1
│           ├── arm-gadgets 1.0.0
│           ├── alloy-sol-types 1.4.1
│           │   └── arm-gadgets 1.0.0
│           └── alloy-json-abi 1.4.1
│               └── alloy-sol-types 1.4.1
├── ark-ff 0.3.0
│   └── ruint 1.17.0
└── ark-crypto-primitives 0.5.0
    └── ark-groth16 0.5.0
        └── risc0-groth16 3.0.2

Crate:     number_prefix
Version:   0.4.0
Warning:   unmaintained
Title:     number_prefix crate is unmaintained
Date:      2025-11-17
ID:        RUSTSEC-2025-0119
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0119
Dependency tree:
number_prefix 0.4.0
└── indicatif 0.17.11
    └── circom-witnesscalc 0.2.1
        └── risc0-groth16 3.0.2
            └── risc0-zkvm 3.0.3
                └── arm 1.0.0
                    ├── arm-test-witness 1.0.0
                    │   └── arm-test-app 1.0.0
                    ├── arm-test-app 1.0.0
                    └── arm-gadgets 1.0.0
                        └── arm-test-witness 1.0.0

Crate:     paste
Version:   1.0.15
Warning:   unmaintained
Title:     paste - no longer maintained
Date:      2024-10-07
ID:        RUSTSEC-2024-0436
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0436
Dependency tree:
paste 1.0.15
├── syn-solidity 1.4.1
│   ├── alloy-sol-macro-input 1.4.1
│   │   ├── alloy-sol-macro-expander 1.4.1
│   │   │   └── alloy-sol-macro 1.4.1
│   │   │       └── alloy-sol-types 1.4.1
│   │   │           └── arm-gadgets 1.0.0
│   │   │               └── arm-test-witness 1.0.0
│   │   │                   └── arm-test-app 1.0.0
│   │   └── alloy-sol-macro 1.4.1
│   └── alloy-sol-macro-expander 1.4.1
├── rrs-lib 0.1.0
│   └── risc0-zkvm 3.0.3
│       └── arm 1.0.0
│           ├── arm-test-witness 1.0.0
│           ├── arm-test-app 1.0.0
│           └── arm-gadgets 1.0.0
├── risc0-zkvm-platform 2.2.1
│   ├── risc0-zkvm 3.0.3
│   ├── risc0-zkp 3.0.2
│   │   ├── risc0-zkvm 3.0.3
│   │   ├── risc0-groth16 3.0.2
│   │   │   └── risc0-zkvm 3.0.3
│   │   ├── risc0-circuit-rv32im 4.0.2
│   │   │   └── risc0-zkvm 3.0.3
│   │   ├── risc0-circuit-recursion 4.0.2
│   │   │   ├── risc0-zkvm 3.0.3
│   │   │   └── risc0-circuit-keccak 4.0.2
│   │   │       └── risc0-zkvm 3.0.3
│   │   ├── risc0-circuit-keccak 4.0.2
│   │   ├── risc0-build 3.0.3
│   │   │   └── risc0-zkvm 3.0.3
│   │   └── risc0-binfmt 3.0.2
│   │       ├── risc0-zkvm 3.0.3
│   │       ├── risc0-groth16 3.0.2
│   │       ├── risc0-circuit-rv32im 4.0.2
│   │       ├── risc0-circuit-keccak 4.0.2
│   │       └── risc0-build 3.0.3
│   ├── risc0-zkos-v1compat 2.2.0
│   │   ├── risc0-zkvm 3.0.3
│   │   └── risc0-build 3.0.3
│   ├── risc0-build 3.0.3
│   └── risc0-binfmt 3.0.2
├── risc0-zkp 3.0.2
├── risc0-circuit-rv32im 4.0.2
├── risc0-circuit-keccak 4.0.2
├── metal 0.29.0
│   ├── risc0-zkp 3.0.2
│   └── risc0-circuit-recursion 4.0.2
├── gdbstub 0.7.7
│   ├── risc0-zkvm 3.0.3
│   ├── risc0-circuit-rv32im 4.0.2
│   └── gdbstub_arch 0.3.2
│       ├── risc0-zkvm 3.0.3
│       └── risc0-circuit-rv32im 4.0.2
├── ark-ff 0.5.0
│   ├── ruint 1.17.0
│   │   ├── risc0-binfmt 3.0.2
│   │   ├── circom-witnesscalc 0.2.1
│   │   │   └── risc0-groth16 3.0.2
│   │   └── alloy-primitives 1.4.1
│   │       ├── arm-gadgets 1.0.0
│   │       ├── alloy-sol-types 1.4.1
│   │       └── alloy-json-abi 1.4.1
│   │           └── alloy-sol-types 1.4.1
│   ├── risc0-groth16 3.0.2
│   ├── circom-witnesscalc 0.2.1
│   ├── ark-snark 0.5.1
│   │   └── ark-crypto-primitives 0.5.0
│   │       └── ark-groth16 0.5.0
│   │           └── risc0-groth16 3.0.2
│   ├── ark-relations 0.5.1
│   │   ├── ark-snark 0.5.1
│   │   ├── ark-r1cs-std 0.5.0
│   │   │   └── ark-bn254 0.5.0
│   │   │       ├── risc0-groth16 3.0.2
│   │   │       └── circom-witnesscalc 0.2.1
│   │   ├── ark-groth16 0.5.0
│   │   └── ark-crypto-primitives 0.5.0
│   ├── ark-r1cs-std 0.5.0
│   ├── ark-poly 0.5.0
│   │   ├── ark-groth16 0.5.0
│   │   └── ark-ec 0.5.0
│   │       ├── risc0-groth16 3.0.2
│   │       ├── ark-r1cs-std 0.5.0
│   │       ├── ark-groth16 0.5.0
│   │       ├── ark-crypto-primitives 0.5.0
│   │       └── ark-bn254 0.5.0
│   ├── ark-groth16 0.5.0
│   ├── ark-ec 0.5.0
│   ├── ark-crypto-primitives 0.5.0
│   └── ark-bn254 0.5.0
├── ark-ff 0.4.2
│   └── ruint 1.17.0
├── ark-ff 0.3.0
│   └── ruint 1.17.0
└── alloy-primitives 1.4.1

error: 3 vulnerabilities found!
warning: 4 allowed warnings found

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions