rustsec
diff --git a/‎.duplicate-id-guard‎
Lines changed: 1 addition & 1 deletion b/‎.duplicate-id-guard‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/dependabot.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/assign-ids.yml‎
Lines changed: 39 additions & 32 deletions b/‎.github/workflows/assign-ids.yml‎
Lines changed: 39 additions & 32 deletions
diff --git a/‎.github/workflows/export-osv.yml‎
Lines changed: 9 additions & 4 deletions b/‎.github/workflows/export-osv.yml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎.github/workflows/publish-web.yml‎
Lines changed: 9 additions & 4 deletions b/‎.github/workflows/publish-web.yml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎.github/workflows/sync-ids.yml‎
Lines changed: 34 additions & 27 deletions b/‎.github/workflows/sync-ids.yml‎
Lines changed: 34 additions & 27 deletions
diff --git a/‎.github/workflows/validate.yml‎
Lines changed: 16 additions & 12 deletions b/‎.github/workflows/validate.yml‎
Lines changed: 16 additions & 12 deletions
diff --git a/‎crates/alloy-dyn-abi/RUSTSEC-2025-0073.md‎
Lines changed: 29 additions & 0 deletions b/‎crates/alloy-dyn-abi/RUSTSEC-2025-0073.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎crates/alloy-json-abi/RUSTSEC-2024-0362.md‎
Lines changed: 1 addition & 0 deletions b/‎crates/alloy-json-abi/RUSTSEC-2024-0362.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/ammonia/RUSTSEC-2025-0071.md‎
Lines changed: 1 addition & 0 deletions b/‎crates/ammonia/RUSTSEC-2025-0071.md‎
Lines changed: 1 addition & 0 deletions
@@ -1,3 +1,3 @@
 This file causes merge conflicts if two ID assignment jobs run concurrently.
 This prevents duplicate ID assignment due to a race between those jobs.
-31a8abd8cc612f6b98d74d057b6404593b695fc8824cd6fb0236e21eaa7b4b39  -
+2b5bd0ab899546e88868be2b55d831a7d846a79264cdae63a1bde3a533207f28  -
@@ -5,3 +5,5 @@ updates:
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
@@ -4,40 +4,47 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   assign-ids:
     name: Assign IDs
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for create-pull-request
+      pull-requests: write # for create-pull-request
     steps:
-    - uses: actions/checkout@v5
-
-    - name: Cache cargo bin
-      id: admin-cache
-      uses: actions/cache@v4
-      with:
-        path: ~/.cargo/bin
-        key: rustsec-admin-b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
-
-    - name: Install rustsec-admin
-      if: steps.admin-cache.outputs.cache-hit != 'true'
-      run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
-
-    - name: Assign IDs
-      id: assign
-      run: |
-        message=$(rustsec-admin assign-id --github-actions-output)
-        echo "commit_message=${message}" >> $GITHUB_OUTPUT
-
-    - name: Create duplicate ID assignment guard
-      run: |
-        echo "This file causes merge conflicts if two ID assignment jobs run concurrently." > .duplicate-id-guard
-        echo "This prevents duplicate ID assignment due to a race between those jobs." >> .duplicate-id-guard
-        ls -R ./crates/ ./rust/ | sha256sum >> .duplicate-id-guard
-
-    - name: Create pull request
-      uses: peter-evans/create-pull-request@v7
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: ${{ steps.assign.outputs.commit_message }}
-        title: ${{ steps.assign.outputs.commit_message }}
-        branch: assign-ids
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Cache cargo bin
+        id: admin-cache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cargo/bin
+          key: rustsec-admin-4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
+
+      - name: Install rustsec-admin
+        if: steps.admin-cache.outputs.cache-hit != 'true'
+        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev 4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
+
+      - name: Assign IDs
+        id: assign
+        run: |
+          message=$(rustsec-admin assign-id --github-actions-output)
+          echo "commit_message=${message}" >> $GITHUB_OUTPUT
+
+      - name: Create duplicate ID assignment guard
+        run: |
+          echo "This file causes merge conflicts if two ID assignment jobs run concurrently." > .duplicate-id-guard
+          echo "This prevents duplicate ID assignment due to a race between those jobs." >> .duplicate-id-guard
+          ls -R ./crates/ ./rust/ | sha256sum >> .duplicate-id-guard
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: ${{ steps.assign.outputs.commit_message }}
+          title: ${{ steps.assign.outputs.commit_message }}
+          branch: assign-ids
@@ -4,23 +4,28 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   publish-web:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for pushing back to the repo
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: osv
+          persist-credentials: true # persists the token for git push below
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: admin-cache
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+          key: rustsec-admin-4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev 4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
       - run: |
           mkdir -p crates
 
@@ -4,23 +4,28 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   publish-web:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for pushing back to the repo
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: gh-pages
+          persist-credentials: true # persists the token for git push below
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: admin-cache
         with:
           path: ~/.cargo/bin
-          key: rustsec-admin-b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+          key: rustsec-admin-4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
       - name: Install rustsec-admin
         if: steps.admin-cache.outputs.cache-hit != 'true'
-        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev 4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
       - run: |
           rustsec-admin web .
 
@@ -4,40 +4,47 @@ on:
   workflow_dispatch:
   schedule:
     # daily run on default "main" branch
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
+
+permissions: {}
 
 jobs:
   sync-ids:
     name: Synchronize IDs
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for create-pull-request
+      pull-requests: write # for create-pull-request
     steps:
-    - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-    - name: Cache cargo bin
-      id: admin-cache
-      uses: actions/cache@v4
-      with:
-        path: ~/.cargo/bin
-        key: rustsec-admin-b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+      - name: Cache cargo bin
+        id: admin-cache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cargo/bin
+          key: rustsec-admin-4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
-    - name: Install rustsec-admin
-      if: steps.admin-cache.outputs.cache-hit != 'true'
-      run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+      - name: Install rustsec-admin
+        if: steps.admin-cache.outputs.cache-hit != 'true'
+        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev 4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
-    - name: Synchronize IDs
-      id: sync_ids
-      run: |
-        mkdir -p /tmp/osv
-        curl --silent --output /tmp/osv/advisories.zip https://osv-vulnerabilities.storage.googleapis.com/crates.io/all.zip
-        unzip -d /tmp/osv -q /tmp/osv/advisories.zip
-        rustsec-admin sync --osv /tmp/osv/ .
-        message="Synchronize IDs ($(date +%F))"
-        echo "commit_message=${message}" >> $GITHUB_OUTPUT
+      - name: Synchronize IDs
+        id: sync_ids
+        run: |
+          mkdir -p /tmp/osv
+          curl --silent --output /tmp/osv/advisories.zip https://osv-vulnerabilities.storage.googleapis.com/crates.io/all.zip
+          unzip -d /tmp/osv -q /tmp/osv/advisories.zip
+          rustsec-admin sync --osv /tmp/osv/ .
+          message="Synchronize IDs ($(date +%F))"
+          echo "commit_message=${message}" >> $GITHUB_OUTPUT
 
-    - name: Create pull request
-      uses: peter-evans/create-pull-request@v7
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: ${{ steps.sync_ids.outputs.commit_message }}
-        title: ${{ steps.sync_ids.outputs.commit_message }}
-        branch: sync-ids
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: ${{ steps.sync_ids.outputs.commit_message }}
+          title: ${{ steps.sync_ids.outputs.commit_message }}
+          branch: sync-ids
@@ -5,23 +5,27 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   lint:
     name: Lint advisories
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-    - name: Cache cargo bin
-      id: admin-cache
-      uses: actions/cache@v4
-      with:
-        path: ~/.cargo/bin
-        key: rustsec-admin-b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+      - name: Cache cargo bin
+        id: admin-cache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cargo/bin
+          key: rustsec-admin-4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
-    - name: Install rustsec-admin
-      if: steps.admin-cache.outputs.cache-hit != 'true'
-      run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev b7c69254bda9b8f4c94bc5eaef47e5bb3a97d8cd
+      - name: Install rustsec-admin
+        if: steps.admin-cache.outputs.cache-hit != 'true'
+        run: cargo install --git https://github.com/rustsec/rustsec rustsec-admin --rev 4f949d61d9ed2ef59f8c4448b5ab96e6eef0d6ed
 
-    - name: Lint advisories
-      run: rustsec-admin lint --skip-namecheck rustdecimal,vec-const
+      - name: Lint advisories
+        run: rustsec-admin lint --skip-namecheck rustdecimal,vec-const
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-2025-0073"
+package = "alloy-dyn-abi"
+date = "2025-10-15"
+url = "https://github.com/alloy-rs/core/security/advisories/GHSA-pgp9-98jm-wwq2"
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["uncaught-panic"]
+aliases = ["CVE-2025-62370", "GHSA-pgp9-98jm-wwq2"]
+
+[affected.functions]
+"alloy_dyn_abi::eip712::Resolver::encode_type" = ["<0.8.26", ">=1.0.0, <1.4.1"]
+
+[versions]
+patched = [">=0.8.26, <1.0.0", ">=1.4.1"]
+```
+
+# DoS vulnerability on `alloy_dyn_abi::TypedData` hashing
+
+An uncaught panic triggered by malformed input to `alloy_dyn_abi::TypedData` could lead to a denial-of-service (DoS) via `eip712_signing_hash()`.
+
+Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.
+
+The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version [v1.4.1](https://crates.io/crates/alloy-dyn-abi/1.4.1) and backported to [v0.8.26](https://crates.io/crates/alloy-dyn-abi/0.8.26).
+
+There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.
+
+Reported by [Christian Reitter](https://github.com/cr-tk) & [Zeke Mostov](https://github.com/emostov) from [Turnkey](https://www.turnkey.com/).
@@ -5,6 +5,7 @@ package = "alloy-json-abi"
 date = "2024-07-30"
 url = "https://github.com/alloy-rs/core/issues/702"
 keywords = ["stack-overflow"]
+aliases = ["GHSA-8327-84cj-8xjm"]
 
 [versions]
 patched = [">= 0.7.7"]
 
@@ -5,6 +5,7 @@ package = "ammonia"
 date = "2025-09-21"
 categories = ["format-injection"]
 keywords = ["html", "xss"]
+aliases = ["GHSA-mm7x-qfjj-5g2c"]
 
 [versions]
 patched = [">= 4.1.2", ">= 4.0.1, < 4.1.0", ">= 3.3.1, < 4.0.0"]