Replies: 1 comment
-
Hi @fu050409! Thank you for looking into the security of SurrealDB, we appreciate it! You raise a good question. We have also looked into addressing this finding as our own Dependabot reported it as well. The reason However, looking into the original report, it appears that this issue occurs due to the fact that the You may have noticed that the official page for the Marvin Attack explicitly mentions JSON Web Tokens being potentially affected. This does not seem to be the case according to the details released about the attack and how JWT signing and verification is done using the I hope this answer was helpful to you and others who may be seeing the same issue. We still hope to address this soon, either by moving to the upstream version of Thank you again for taking the time to ask this question! PS: I am not a cryptography expert, so take my conclusions with a grain of salt! |
Beta Was this translation helpful? Give feedback.
-
My dependabot reported
RUSTSEC-2023-0071
because of the unsafety inrsa
crate, and I revealed that there's norsa
dependency found in theCargo.lock
generated bycargo generate-lockfile
at the lastest version ofJsonWebToken
.Is
rsa
crate necessary for us? Or can we use a more recent version?Forgive me if this is due to my misunderstanding or stupidity :)
Beta Was this translation helpful? Give feedback.
All reactions