You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The version of the rust sdk in the most recent release includes a version of the zip crate affected by CVE-2025-29787.
While I don't suspect from an application-usage perspective that the temporal core sdk is extracting untrusted zip files, automated vulnerability scanning tools still pick up on the vulnerable version and prompt us to respond in some form.
Current master of this repository already has the core sdk bumped to a version that is not vulnerable, there just hasn't been a release uploaded to pypi since it was patched. The zip patch was included with #802 I think just as a side-effect of the other work done in that change.
The text was updated successfully, but these errors were encountered:
The version of the rust sdk in the most recent release includes a version of the
zip
crate affected by CVE-2025-29787.While I don't suspect from an application-usage perspective that the temporal core sdk is extracting untrusted zip files, automated vulnerability scanning tools still pick up on the vulnerable version and prompt us to respond in some form.
Current
master
of this repository already has the core sdk bumped to a version that is not vulnerable, there just hasn't been a release uploaded to pypi since it was patched. Thezip
patch was included with #802 I think just as a side-effect of the other work done in that change.The text was updated successfully, but these errors were encountered: