Security Advisory - Candid Upgrade Required

Dear All,

Recently, the DFINITY security team uncovered a denial of service (DoS) vulnerability in the Candid library, which when exploited can degrade canister’s performance. We urge everyone who is currently on version >= 0.9.0 to < 0.9.10 of candid rust library to upgrade to the latest version of candid as soon as possible. A security advisory has been published on GitHub, which contains a detailed description of the issue. For asset canister users (bundled with dfx), if you are on dfx versions >= 0.14.4 to <= 0.15.2-beta.0 please upgrade your dfx to v0.15.2 and redeploy your asset canister.

All affected canisters developed by DFINITY have already been upgraded to the fixed version. Any canister with candid version < 0.9.0 and > 0.9.10 and all Motoko canisters are not affected. Asset canisters from dfx versions <= 0.14.3 are also not affected by the issue.

We encourage the ICP community to report any new issues or bugs found responsibly. Please refer to the Bug Bounty program for more information.

Here are some resources to refer:

  1. Upgrade a canister
  2. Building a web frontend