Skip to content

fix(deps): update yamux to 0.13.10, remove vulnerable 0.12.x (high CVE-2026-32314)#240

Merged
louisliu2048 merged 1 commit intomainfrom
fix/security-yamux-13
Mar 30, 2026
Merged

fix(deps): update yamux to 0.13.10, remove vulnerable 0.12.x (high CVE-2026-32314)#240
louisliu2048 merged 1 commit intomainfrom
fix/security-yamux-13

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Mar 28, 2026

Description

Bumps yamux to resolve a high severity vulnerability by eliminating the
vulnerable yamux 0.12.x dependency from the build.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Security Alert

Change

libp2p-yamux 0.47.0 (the latest release) intentionally depends on two
versions of yamux simultaneously:

  • yamux 0.12.x (aliased yamux012) — legacy backward-compat path, vulnerable
  • yamux 0.13.x (aliased yamux013) — new default path, safe

The xlayer codebase uses only yamux::Config::default(), which already routes
through the yamux013 code path at runtime. However, yamux 0.12.x was still
compiled into the binary, keeping the vulnerable parsing code present.

Because no upstream release of libp2p-yamux removes the yamux012 dependency
(libp2p 0.56.0 is the latest), this PR introduces a local fork of libp2p-yamux
under deps/libp2p-yamux — following the same pattern used for the previous
jsonwebtoken security fix (deps/alloy-rpc-types-engine).

The fork:

  1. Removes the yamux012 dependency from Cargo.toml
  2. Rewrites src/lib.rs to use yamux 0.13.x directly (no Either<v012, v013>)
  3. Removes the deprecated Config::client(), Config::server(),
    set_receive_window_size(), set_max_buffer_size(), and
    set_window_update_mode() methods (none are used in this codebase)
  4. Keeps the set_max_num_streams() method, updated to use the yamux013 API

A [patch.crates-io] entry in the workspace Cargo.toml redirects
libp2p-yamux to the local fork. After the patch, cargo check --workspace
passes cleanly and Cargo.lock contains only yamux 0.13.10.

Checklist

  • I have reviewed the relevant code guidelines in the docs/ folder
  • My code follows the coding standards of this project
  • I have performed a self-review of my own code

@github-actions @claude
fix(deps): update yamux to 0.13.10, remove vulnerable 0.12.x (CVE-202…
cf7bbe4 
…6-32314)

libp2p-yamux 0.47.0 depends on both yamux 0.12.x (legacy/backward-compat path,
aliased as yamux012) and yamux 0.13.x (default path, aliased as yamux013).
yamux 0.12.x is vulnerable to a remote panic via a malformed Data frame with
SYN set and length 262145. No upstream release of libp2p-yamux eliminates the
yamux 0.12.x dependency, so this commit introduces a local fork of libp2p-yamux
under deps/libp2p-yamux that removes yamux012 entirely and uses yamux 0.13.10
exclusively. The xlayer-reth codebase only calls yamux::Config::default() which
already routes through the yamux013 code path, so there is no functional change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions bot requested review from JimmyShi22 and Vui-Chee March 28, 2026 02:56
@louisliu2048 louisliu2048 merged commit cfbb01a into main Mar 30, 2026
3 checks passed
@Vui-Chee Vui-Chee deleted the fix/security-yamux-13 branch March 30, 2026 02:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vui-Chee Vui-Chee Vui-Chee approved these changes

@JimmyShi22 JimmyShi22 Awaiting requested review from JimmyShi22

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vui-Chee @louisliu2048