surrealism-runtime 0.2.0

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `surrealism-runtime`

Dependencies

(11 total, 4 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
anyhow	`^1.0.100`	`1.0.102`	up to date
async-trait	`^0.1.89`	`0.1.89`	up to date
semver	`^1.0.27`	`1.0.28`	up to date
serde	`^1.0.228`	`1.0.228`	up to date
surrealdb-types	`^3.0.3`	`3.0.5`	up to date
surrealism-types	`^0.2`	`0.3.1`	out of date
tar ⚠️	`^0.4.44`	`0.4.45`	maybe insecure
toml	`^0.9.11`	`1.1.2+spec-1.1.0`	out of date
wasmtime ⚠️	`^41.0.4`	`44.0.1`	out of date
wasmtime-wasi	`^41.0.4`	`44.0.1`	out of date
zstd	`^0.13.3`	`0.13.3`	up to date

Security Vulnerabilities

`tar`: `unpack_in` can chmod arbitrary directories by following symlinks

RUSTSEC-2026-0067

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

This issue has been fixed in version 0.4.45.

`tar`: tar-rs incorrectly ignores PAX size headers if header size is nonzero

RUSTSEC-2026-0068

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.

As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.

Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size — other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers.

This issue has been fixed in version 0.4.45.

`wasmtime`: Panic when lifting `flags` component value

RUSTSEC-2026-0085

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq For more information see the GitHub-hosted security advisory.

`wasmtime`: Host data leakage with 64-bit tables and Winch

RUSTSEC-2026-0086

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946 For more information see the GitHub-hosted security advisory.

`wasmtime`: Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64

RUSTSEC-2026-0087

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv For more information see the GitHub-hosted security advisory.

`wasmtime`: Data leakage between pooling allocator instances

RUSTSEC-2026-0088

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p For more information see the GitHub-hosted security advisory.

`wasmtime`: Host panic when Winch compiler executes `table.fill`

RUSTSEC-2026-0089

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory.

`wasmtime`: Out-of-bounds write or crash when transcoding component model strings

RUSTSEC-2026-0091

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm For more information see the GitHub-hosted security advisory.

`wasmtime`: Panic when transcoding misaligned component model UTF-16 strings

RUSTSEC-2026-0092

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775 For more information see the GitHub-hosted security advisory.

`wasmtime`: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding

RUSTSEC-2026-0093

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv For more information see the GitHub-hosted security advisory.

`wasmtime`: Improperly masked return value from `table.grow` with Winch compiler backend

RUSTSEC-2026-0094

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 For more information see the GitHub-hosted security advisory.

`wasmtime`: Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access

RUSTSEC-2026-0095

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 For more information see the GitHub-hosted security advisory.

`wasmtime`: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift

RUSTSEC-2026-0096

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w For more information see the GitHub-hosted security advisory.

`wasmtime`: Panic when allocating a table exceeding the size of the host's address space

RUSTSEC-2026-0114

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg For more information see the GitHub-hosted security advisory.

surrealism-runtime 0.2.0

Crate surrealism-runtime

Dependencies

Security Vulnerabilities

tar: `unpack_in` can chmod arbitrary directories by following symlinks

tar: tar-rs incorrectly ignores PAX size headers if header size is nonzero

wasmtime: Panic when lifting `flags` component value

wasmtime: Host data leakage with 64-bit tables and Winch

wasmtime: Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64

wasmtime: Data leakage between pooling allocator instances

wasmtime: Host panic when Winch compiler executes `table.fill`

wasmtime: Out-of-bounds write or crash when transcoding component model strings

wasmtime: Panic when transcoding misaligned component model UTF-16 strings

wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding

wasmtime: Improperly masked return value from `table.grow` with Winch compiler backend

wasmtime: Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access

wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift

wasmtime: Panic when allocating a table exceeding the size of the host's address space