Dear all,
We recently discovered a memory leak in the ic_cdk::call*
implementation in @dfinity/cdk-rs. Canisters built in Rust with ic_cdk
and ic_cdk_timers
are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker.
This is a high severity security issue and the patch has been backported to all minor versions between >= 0.8.0, <= 0.15.0
. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1
and their previous versions have been yanked. Please see the GitHub Security Advisory for more information.
We encourage the ICP community to report any new issues or bugs found responsibly. Please refer to the Bug Bounty program for more information.
Please reach out to us in this thread or privately if you have any questions.