chore(monorepo): update rust crate alloy-dyn-abi to 0.8.0 [security] #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into main from renovate/crate-alloy-dyn-abi-vulnerability

renovate bot commented Oct 15, 2025 •

edited

Loading

This PR contains the following updates:

Package	Type	Update	Change
alloy-dyn-abi (source)	workspace.dependencies	minor	`0.7.0` → `0.8.0`

GitHub Vulnerability Alerts

CVE-2025-62370

Impact

An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().

Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

Patches

The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.

Workarounds

There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.

Reported by

Christian Reitter & Zeke Mostov from Turnkey

Release Notes

alloy-rs/core (alloy-dyn-abi)

`v0.8.26`: alloy-core v0.8.26

Security

Patched: DoS vulnerability on `alloy_dyn_abi::TypedData` hashing

An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().

Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.

See: GHSA-pgp9-98jm-wwq2

Full Changelog: alloy-rs/core@v0.8.25...v0.8.26

`v0.8.25`: alloy-core v0.8.25

What's Changed

chore: add hash_ref function to sealed.rs by @shane-moore in #920
fix: do not rely on bytes dependency in wrap_fixed_bytes! by @klkvr in #918
fix(primitives): Remove undefined behavior in FixedBytes by @dist1ll in #919

New Contributors

@shane-moore made their first contribution in #920
@dist1ll made their first contribution in #919

Full Changelog: alloy-rs/core@v0.8.24...v0.8.25

`v0.8.24`

Features

[sol-macro] Improve call return encoding (#909)

`v0.8.23`

Bug Fixes

[sol-expander] Rename from/into + impl From (#905)
[sol!] Pass correct call_struct to call_builder in expansion (#901)
[sol-macro] Rm fake transport from contract expansion (#865)

Dependencies

[deps] Bump getrandom to 0.3, rand to 0.9 (#869)

Features

[primitives] Remove From<String> for Bytes (#907)
[sol!] Gen unit/tuple structs for errors, calls, events with 0/1 param (#883)
[sol-macro] Function calls should directly yield result (#855)
[sol-types] Rm validate: bool (#863)

Miscellaneous Tasks

Remove deprecated Signature (#899)

Other

Merge branch 'main' into v1.0-rc

`v0.8.22`

Dependencies

[deps] Bump derive_more to 2 (#871)

Documentation

[primitives] Report some Bytes methods may panic (#877)
[primitives] random functions are cryptographically secure (#872)

Features

[primitives] Add some more utility methods to PrimitiveSignature (#888)
Erc2098 signature representation (#874)
Add TxKind::into_to (#875)
[primitives] Improve rand implementations, use thread_rng when available (#870)

Miscellaneous Tasks

Release 0.8.22
Simplify uninit_array usage (#889)

`v0.8.21`

Bug Fixes

[sol-macro] Call proc_macro_error handler manually (#866)

Features

Add helpers for revertreason (#867)
[sol-macro-expander] Increase resolve limit to 128 (#864)

Miscellaneous Tasks

Release 0.8.21

`v0.8.20`

Dependencies

[deps] Bump winnow 0.7 (#862)

Documentation

Add 0x to alloy-primitives readme example (#861)

Features

Add Sealed::as_sealed_ref (#859)
Add Sealed::cloned (#860)

Miscellaneous Tasks

Release 0.8.20
Clippy (#858)

`v0.8.19`

Documentation

Enable some useful rustdoc features on docs.rs (#850)
Hide hex_literal export (#849)

Features

[json-abi] Add Param.name() accessor (#856)
[sol-types] Improve ABI decoding error messages (#851)

Miscellaneous Tasks

Release 0.8.19

`v0.8.18`

Bug Fixes

[primitives] Hex macro re-export (#848)

Miscellaneous Tasks

Release 0.8.18

`v0.8.17`

Bug Fixes

Coerce pow overflow (#838)

Documentation

Typos (#847)
[sol-macro] Document visibility and state mutability (#846)

Features

[sol-macro] Translate contract types to address (#842)
Support 0x in hex! and similar macros (#841)
[sol-macro] Evaluate array sizes (#840)
[primitives] Re-export foldhash (#839)
Re-export rayon traits implementations (#836)

Miscellaneous Tasks

Release 0.8.17

Testing

[sol-macro] Add a test for missing_docs (#845)
Re-enable miri on foldhash (#844)
[sol-macro] Add a test for namespaced types (#843)

`v0.8.16`

Bug Fixes

Re-enable foldhash on zkvm (#833)
Allow non-boolean v values for PrimitiveSignature (#832)
[syn-solidity] Correctly parse invalid bytes* etc as custom (#830)

Features

[dyn-abi] Support parse scientific number (#835)
Re-export rayon feature (#827)

Miscellaneous Tasks

Release 0.8.16
Clippy (#834)
Add clone_inner (#825)
Shorten map type alias names (#824)
[primitives] Remove rustc-hash workaround (#822)

Other

Move deny to ci (#821)

`v0.8.15`

Miscellaneous Tasks

Release 0.8.15
Mark Signature as deprecated (#819)
AsRef for Log (#820)
Update release.toml (#817)

Other

Remove unsafe code from macro expansions (#818)

`v0.8.14`

Dependencies

Bump MSRV to 1.81 (#790)

Features

Switch all std::error to core::error (#815)

Miscellaneous Tasks

Release 0.8.14

`v0.8.13`

Bug Fixes

[sol-macro] Expand all getter return types (#812)

Dependencies

Remove cron schedule for deps.yml (#808)

Features

Expose returns field for DynSolCall type (#809)

Miscellaneous Tasks

Release 0.8.13 (#813)

Other

Make Signature::new a const fn (#810)

`v0.8.12`

Bug Fixes

Sealed::hash serde (#805)

Features

Add AsRef impl and hash method to Sealed (#804)

Miscellaneous Tasks

Release 0.8.12 (#806)

`v0.8.11`

Bug Fixes

[serde] Add alias v for yParity (#801)

Documentation

Update ethers-rs README note (#798)

Features

[json-abi] Add AbiItem::json_type (#797)
Add has_eip155_value convenience function to signature (#791)

Miscellaneous Tasks

Release 0.8.11 (#803)
[json-abi] Clean up utils (#794)
[meta] Update SECURITY.md (#793)

Other

Revert "chore: replace Signature with PrimitiveSignature" (#800)
Add success job (#795)

Performance

Improve normalize_v (#792)

Styling

Replace Signature with PrimitiveSignature (#796)

`v0.8.10`

Bug Fixes

Revert MSRV changes (#789)

Dependencies

Bump MSRV to 1.81 & use core::error::Error in place of std (#780)

Documentation

Fix param type in example comment (#784)

Miscellaneous Tasks

Release 0.8.10
Address MSRV TODOs for 1.81 (#781)

Other

Implement DerefMut for Log<T> (#786)

Refactor

Use simple boolean for parity in signature (#776)

`v0.8.9`

Bug Fixes

Re-enable foldhash by default, but exclude it from zkvm (#777)

Features

Expand Seal api (#773)

Miscellaneous Tasks

Release 0.8.9

`v0.8.8`

Bug Fixes

Properly account for sign in pg to/from sql implementation for signed (#772)
Don't enable foldhash by default (#771)
[alloy-sol-macro] Allow clippy::pub_underscore_fields on sol! output (#770)

Features

Add logs_bloom (#768)

Miscellaneous Tasks

Release 0.8.8

`v0.8.7`

Miscellaneous Tasks

Release 0.8.7

Other

Revert "Add custom serialization for Address" (#765)

`v0.8.6`

Bug Fixes

Fix lint alloy-primitives (#756)
Fix lint alloy-json-abi (#757)
Fix lint alloy-dyn-abi (#758)
Fix lint alloy-sol-types (#761)
Fix lint alloy-sol-macro-expander (#760)

Dependencies

[deps] Bump hashbrown to 0.15 (#753)

Features

Add Default for Sealed<T> (#755)
[primitives] Add and use foldhash as default hasher (#763)

Miscellaneous Tasks

Release 0.8.6
[meta] Update CODEOWNERS
Remove a stabilized impl_core function

Other

Derive Arbitrary for Sealed<T> (#762)
Derive Deref for Sealed<T> (#759)
Add conversion TxKind -> Option<Address> (#750)

`v0.8.5`

Bug Fixes

[primitives] Make sure DefaultHashBuilder implements Clone (#748)

Miscellaneous Tasks

Release 0.8.5
[primitives] Remove Fx* aliases (#749)

`v0.8.4`

Bug Fixes

[json-abi] Normalize $ to _ in identifiers in to_sol (#747)
[json-abi] Correct to-sol for UDVT arrays in structs (#745)
[sol-types] Check signature in SolEvent if non-anonymous (#741)

Features

[primitives] Implement map module (#743)
Support Keccak with sha3 (#737)

Miscellaneous Tasks

Release 0.8.4
Remove unused unstable-doc feature

Other

Add custom serialization for Address (#742)

Testing

Allow missing_docs in tests
Add another dyn-abi test

`v0.8.3`

Bug Fixes

[sol-macro] Correctly determine whether event parameters are hashes (#735)
[sol-macro] Namespaced custom type resolution (#731)
Parse selector hashes in sol macro (#730)

Features

Prepare reth Signature migration to alloy (#732)

Miscellaneous Tasks

Release 0.8.3

`v0.8.2`

Features

[sol-macro] Improve call return encoding (#909)

`v0.8.1`

Documentation

Enable some useful rustdoc features on docs.rs (#850)
Hide hex_literal export (#849)

Features

[json-abi] Add Param.name() accessor (#856)
[sol-types] Improve ABI decoding error messages (#851)

Miscellaneous Tasks

Release 0.8.19

`v0.8.0`

Bug Fixes

Parsing stack overflow (#703)

Dependencies

[deps] Bump proptest-derive (#708)

Documentation

Typo

Features

Derive ser deser on Sealed (#710)
[sol-macro] Support namespaces (#694)
Derive Hash for Sealed (#707)
[sol-types] Implement traits for longer tuples (#699)

Miscellaneous Tasks

Release 0.8.0
[primitives] Re-use ruint mask function (#698)
Derive hash for parity (#686)
Add some TODO comments

Other

Implement specific bit types for integers (#677)
Add testcase for overflowing_from_sign_and_abs (#696)

Styling

Remove ethereum_ssz dependency (#701)

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(monorepo): update rust crate alloy-dyn-abi to 0.8.0 [security]

760df36

renovate bot added the dependencies label

renovate bot enabled auto-merge (squash)

October 15, 2025 20:01

Author

renovate bot commented Oct 15, 2025 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package alloy-dyn-abi@0.7.7 --precise 0.8.26
    Updating crates.io index
error: failed to select a version for the requirement `alloy-dyn-abi = "^0.7.0"`
candidate versions found which didn't match: 0.8.26
location searched: crates.io index
required by package `reth-rpc v0.2.0-beta.6 (https://github.com/paradigmxyz/reth?rev=ac29b4b#ac29b4b7)`
    ... which satisfies git dependency `reth-rpc` (locked to 0.2.0-beta.6) of package `reaper-eth-engine-types v0.1.0 (/tmp/renovate/repos/github/storm-software/reaper/crates/eth-engine-types)`
    ... which satisfies path dependency `reaper-eth-engine-types` (locked to 0.1.0) of package `reaper-eth-engine-metrics v0.1.0 (/tmp/renovate/repos/github/storm-software/reaper/crates/eth-engine-metrics)`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels