Skip to content

Comments

fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518#396

Open
Vui-Chee wants to merge 2 commits intoflashbots:mainfrom
okx:fix/cve-2025-62518-tokio-tar
Open

fix: update testcontainers to v0.27.0 to remediate CVE-2025-62518#396
Vui-Chee wants to merge 2 commits intoflashbots:mainfrom
okx:fix/cve-2025-62518-tokio-tar

Conversation

@Vui-Chee
Copy link

@Vui-Chee Vui-Chee commented Feb 20, 2026

Summary

This PR updates the testcontainers dependency from v0.24.0 to v0.27.0 to remediate CVE-2025-62518 (GHSA-j5gw-2vrg-8fgx), a HIGH severity vulnerability in tokio-tar.

Vulnerability Details

  • CVE ID: CVE-2025-62518
  • GHSA ID: GHSA-j5gw-2vrg-8fgx
  • Severity: HIGH (CVSS 8.1)
  • Issue: PAX header desynchronization allowing tar archive entry smuggling
  • Affected: tokio-tar <= 0.3.1 (no patched version available)
  • Fixed in: astral-tokio-tar >= 0.5.6 (replacement package)
  • Impact Scope: Test framework only (ExternalNode test infrastructure)

Dependency Chain

Before:

op-rbuilder (0.3.1)
└── testcontainers (0.24.0)
    └── tokio-tar (0.3.1) ← VULNERABLE

After:

op-rbuilder (0.3.1)
└── testcontainers (0.27.0)
    └── astral-tokio-tar (0.5.6) ← FIXED

Changes Made

  1. Updated Dependencies:

    • testcontainers: 0.24.00.27.0
    • Updated Cargo.lock via cargo update -p testcontainers

  2. Fixed Breaking API Changes in bollard (used by testcontainers):

    • Updated imports: ConfigContainerCreateBody
    • Moved Options types to query_parameters module
    • Moved model types to separate models module
    • Removed generic type parameters from Options structs (e.g., StartContainerOptions<String>StartContainerOptions)
    • Changed boolean Option fields to plain bools in AttachContainerOptions
    • Updated CreateImageOptions fields to use Option<String>

  3. Files Modified:

    • crates/op-rbuilder/Cargo.toml: Updated testcontainers version
    • Cargo.lock: Updated dependency tree
    • crates/op-rbuilder/src/tests/framework/external.rs: Fixed API compatibility

Verification

Vulnerability Remediation:

  • cargo tree -i tokio-tar: Package no longer in dependency tree
  • cargo tree -p testcontainers: Confirms astral-tokio-tar v0.5.6 is used
  • cargo audit: No tokio-tar vulnerabilities found

Compilation Checks:

  • cargo build -p op-rbuilder --bin op-rbuilder: Success
  • cargo build -p op-rbuilder --bin tester --features testing: Success
  • cargo clippy --all-features: No warnings

Test Suite:

  • cargo test -p op-rbuilder --features testing: All 110 tests pass

References

@Vui-Chee
chore: update testcontainers to v0.27.0 to fix CVE-2025-62518
acd7bf2 
This commit updates the testcontainers dependency from v0.24.0 to v0.27.0,
which replaces the vulnerable tokio-tar (CVE-2025-62518) with the patched
astral-tokio-tar >= 0.5.6.

CVE-2025-62518 is a HIGH severity vulnerability (CVSS 8.1) in tokio-tar
that allows PAX header desynchronization and tar archive entry smuggling.

Changes:
- Updated testcontainers from 0.24.0 to 0.27.0 in Cargo.toml
- Updated Cargo.lock with cargo update -p testcontainers
- Fixed breaking API changes in bollard (used by testcontainers):
  - Updated imports: Config -> ContainerCreateBody, moved Options types
    to query_parameters module, moved models to separate module
  - Removed generic type parameters from Options structs
  - Changed boolean Option fields to plain bools in AttachContainerOptions
  - Updated CreateImageOptions fields to use Option<String>

Verification:
- cargo tree confirms tokio-tar is removed from dependency tree
- cargo tree confirms astral-tokio-tar v0.5.6 is now used
- cargo audit shows no tokio-tar vulnerabilities
- All compilation checks pass (op-rbuilder, tester, clippy)
- All 110 tests pass successfully

Fixes CVE-2025-62518 (GHSA-j5gw-2vrg-8fgx)
julio4
julio4 approved these changes Feb 20, 2026
View reviewed changes
Copy link
Member

@julio4 julio4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Vui-Chee
Copy link
Author

Vui-Chee commented Feb 23, 2026

@julio4 The nightly lint failed on an old crate shellexpand. But this crate is no longer maintained and seems not updated for a while. It is very likely that the CI linting checks will continue to fail.

@julio4
Copy link
Member

julio4 commented Feb 23, 2026

@julio4 The nightly lint failed on an old crate shellexpand. But this crate is no longer maintained and seems not updated for a while. It is very likely that the CI linting checks will continue to fail.

yes I noticed I'll fix it asap and merge this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julio4 julio4 julio4 approved these changes

@SozinM SozinM Awaiting requested review from SozinM SozinM is a code owner

@avalonche avalonche Awaiting requested review from avalonche avalonche is a code owner

@karim-agha karim-agha Awaiting requested review from karim-agha karim-agha is a code owner

@0x416e746f6e 0x416e746f6e Awaiting requested review from 0x416e746f6e 0x416e746f6e is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vui-Chee @julio4