This project might be open to known security vulnerabilities , which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom .
Crate nimiq-blockchain Dependencies (8 total, 1 outdated)
Dev dependencies (2 total, 1 outdated)
Crate nimiq-blockchain-interface Dependencies (4 total, all up-to-date)
Crate nimiq-blockchain-proxy Dependencies (2 total, all up-to-date)
Crate nimiq-bls Dependencies (13 total, 7 outdated)
Crate nimiq-client Dependencies (2 total, all up-to-date)
Crate nimiq-collections Dependencies (1 total, all up-to-date)
Crate Required Latest Status serde ^1.01.0.228up to date
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date serde_json ^1.01.0.149up to date
Crate nimiq-consensus Dependencies (10 total, 1 outdated)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date
Crate nimiq-database Dependencies (3 total, all up-to-date)
Dev dependencies (3 total, 2 outdated)
Crate Required Latest Status criterion ^0.50.8.2out of date pprof ^0.150.15.0up to date rand ^0.90.10.0out of date
Crate nimiq-database-value No external dependencies! 🙌
Crate nimiq-database-value-derive Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^1.01.0.106up to date quote ^1.01.0.45up to date syn ^2.02.0.117up to date
Crate nimiq-dht No external dependencies! 🙌
Crate nimiq-fuzz Dependencies (1 total, all up-to-date)
Crate Required Latest Status afl ^0.17.10.17.1up to date
Crate nimiq-genesis Dependencies (3 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date serde ^1.01.0.228up to date url ^2.52.5.8up to date
Build dependencies (1 total, 1 possibly insecure)
Crate nimiq-genesis-builder Dependencies (6 total, 1 outdated, 2 possibly insecure)
Crate nimiq-handel Dependencies (6 total, all up-to-date)
Dev dependencies (3 total, 1 outdated)
Crate Required Latest Status rand ^0.90.10.0out of date serde ^1.01.0.228up to date tokio ^1.501.50.0up to date
Crate nimiq-hash Dependencies (7 total, all up-to-date)
Crate nimiq-hash_derive Dependencies (3 total, all up-to-date)
Crate Required Latest Status proc-macro2 ^1.01.0.106up to date quote ^1.01.0.45up to date syn ^2.02.0.117up to date
Crate nimiq-key-derivation Dependencies (3 total, all up-to-date)
Crate Required Latest Status byteorder ^1.51.5.0up to date regex ^1.121.12.3up to date serde ^1.01.0.228up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date
Crate nimiq-keys Dependencies (12 total, 1 outdated)
Crate nimiq-lib Dependencies (29 total, 3 outdated, 2 possibly insecure)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.501.50.0up to date
Crate nimiq-light-blockchain Dependencies (4 total, all up-to-date)
Dev dependencies (1 total, 1 outdated)
Crate Required Latest Status rand ^0.90.10.0out of date
Crate nimiq-log Dependencies (4 total, 2 possibly insecure)
Crate nimiq-macros Dependencies (3 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date serde ^1.01.0.228up to date subtle ^2.62.6.1up to date
Crate nimiq-mempool Dependencies (9 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date
Crate nimiq-mempool-task Dependencies (3 total, all up-to-date)
Crate nimiq-metrics-server Dependencies (8 total, 1 possibly insecure)
Crate nimiq-mnemonic Dependencies (5 total, 1 outdated)
Crate nimiq-network-interface Dependencies (7 total, all up-to-date)
Crate nimiq-network-libp2p Dependencies (18 total, 1 outdated, 1 possibly insecure)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.501.50.0up to date
Crate nimiq-network-mock Dependencies (7 total, all up-to-date)
Crate nimiq-pow-migration Dependencies (14 total, 2 outdated, 1 possibly insecure)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status serde_json ^1.01.0.149up to date
Build dependencies (1 total, all up-to-date)
Crate Required Latest Status build-data ^0.30.3.3up to date
Crate nimiq-primitives Dependencies (16 total, 3 outdated)
Crate nimiq-account Dependencies (5 total, 1 outdated)
Crate Required Latest Status hex ^0.40.4.3up to date parking_lot ^0.120.12.5up to date rand ^0.90.10.0out of date serde ^1.01.0.228up to date thiserror ^2.02.0.18up to date
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date tempfile ^3.263.26.0up to date
Crate nimiq-block Dependencies (7 total, 1 outdated)
Crate nimiq-mmr Dependencies (1 total, all up-to-date)
Crate Required Latest Status serde ^1.01.0.228up to date
Crate nimiq-subscription Dependencies (2 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date serde ^1.01.0.228up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date
Crate nimiq-transaction Dependencies (9 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status serde_json ^1.01.0.149up to date
Crate nimiq-trie Dependencies (3 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date serde ^1.01.0.228up to date thiserror ^2.02.0.18up to date
Crate nimiq-rpc-client Dependencies (7 total, 1 possibly insecure)
Crate nimiq-rpc-interface Dependencies (9 total, 2 outdated)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status serde_json ^1.01.0.149up to date
Crate nimiq-rpc-server Dependencies (8 total, all up-to-date)
Crate nimiq-serde Dependencies (4 total, all up-to-date)
Crate nimiq-serde-derive Dependencies (4 total, all up-to-date)
Crate Required Latest Status darling ^0.230.23.0up to date proc-macro2 ^1.01.0.106up to date quote ^1.01.0.45up to date syn ^2.02.0.117up to date
Crate nimiq-spammer Dependencies (6 total, 2 outdated)
Crate Required Latest Status clap ^4.54.5.60up to date rand ^0.90.10.0out of date serde ^1.01.0.228up to date tokio ^1.501.50.0up to date tokio-metrics ^0.40.4.9up to date toml ^0.91.0.6+spec-1.1.0out of date
Crate nimiq-tendermint Dependencies (4 total, 1 outdated)
Crate Required Latest Status rand ^0.90.10.0out of date serde ^1.01.0.228up to date tokio ^1.501.50.0up to date tokio-stream ^0.10.1.18up to date
Dev dependencies (2 total, all up-to-date)
Crate Required Latest Status tokio ^1.501.50.0up to date tokio-util ^0.70.7.18up to date
Crate nimiq-test-log Dependencies (2 total, 1 possibly insecure)
Crate nimiq-test-log-proc-macro Dependencies (3 total, all up-to-date)
Crate Required Latest Status darling ^0.230.23.0up to date quote ^1.01.0.45up to date syn ^2.02.0.117up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.501.50.0up to date
Crate nimiq-test-utils Dependencies (18 total, 6 outdated, 1 possibly insecure)
Crate nimiq-time Dependencies (6 total, all up-to-date)
Crate nimiq-tools Dependencies (11 total, 1 outdated)
Crate nimiq-transaction-builder Dependencies (2 total, all up-to-date)
Crate Required Latest Status serde ^1.01.0.228up to date thiserror ^2.02.0.18up to date
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date
Crate nimiq-utils Dependencies (11 total, 2 outdated)
Crate nimiq-validator Dependencies (11 total, 1 outdated)
Dev dependencies (4 total, 1 possibly insecure)
Crate nimiq-validator-network Dependencies (7 total, 1 possibly insecure)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tokio ^1.501.50.0up to date
Crate nimiq-vrf Dependencies (6 total, 1 outdated)
Crate nimiq-wallet Dependencies (4 total, all up-to-date)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status hex ^0.40.4.3up to date
Crate nimiq-web-client Dependencies (16 total, 3 outdated)
Dev dependencies (3 total, all up-to-date)
Crate nimiq-zkp Dependencies (17 total, 11 outdated)
Dev dependencies (2 total, 1 outdated, 1 possibly insecure)
Crate nimiq-zkp-circuits Dependencies (20 total, 13 outdated, 1 possibly insecure)
Crate nimiq-zkp-component Dependencies (12 total, 4 outdated, 1 possibly insecure)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status tempfile ^3.263.26.0up to date
Crate nimiq-zkp-prove Dependencies (6 total, 1 possibly insecure)
Crate nimiq-zkp-primitives Dependencies (14 total, 10 outdated)
Crate nimiq-pedersen-generators Dependencies (10 total, 8 outdated)
Dev dependencies (1 total, all up-to-date)
Crate Required Latest Status bencher ^0.10.1.5up to date
Security Vulnerabilities tracing-subscriber: Logging user input may result in poisoning logs with ANSI escape sequencesRUSTSEC-2025-0055
Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:
Manipulate terminal title bars
Clear screens or modify terminal display
Potentially mislead users through terminal manipulation
In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.
This was patched in PR #3368 to escape ANSI control characters from user input.
bytes: Integer overflow in `BytesMut::reserve`RUSTSEC-2026-0007
In the unique reclaim path of BytesMut::reserve, the condition
if v_capacity >= new_cap + offset
uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.
This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');
}
Workarounds
Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.
time: Denial of Service via Stack ExhaustionRUSTSEC-2026-0009
Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
service attack via stack exhaustion is possible. The attack relies on formally deprecated and
rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
the stack consumed would be at most a factor of the length of the input.
