v0.1.3 - Apr 30, 2025 - "Routing Unicode in 2025"
Bug Fixes
Event::InvoiceReceived
is now only generated once for eachBolt12Invoice
received matching a pending outbound payment. Previously it would be provided
each time we received an invoice, which may happen many times if the sender
sends redundant messages to improve success rates (#3658).- LDK's router now more fully saturates paths which are subject to HTLC
maximum restrictions after the first hop. In some rare cases this can result
in finding paths when it would previously spuriously decide it cannot find
enough diverse paths (#3707, #3755).
Security
0.1.3 fixes a denial-of-service vulnerability which cause a crash of an
LDK-based node if an attacker has access to a valid Bolt12Offer
which the
LDK-based node created.
- A malicious payer which requests a BOLT 12 Invoice from an LDK-based node
(via theBolt12InvoiceRequest
message) can cause the panic of the
LDK-based node due to the wayString::truncate
handles UTF-8 codepoints.
The codepath can only be reached once the receivedBotlt12InvoiceRequest
has been authenticated to be based on a validBolt12Offer
which the same
LDK-based node issued (#3747, #3750).