chore(deps): update rust crate dcap-qvl to 0.3.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
dcap-qvl	workspace.dependencies	minor	0.2.3 → 0.3.0

GitHub Vulnerability Alerts

CVE-2026-22696

Impact

This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl.

The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report.

Consequences

An attacker can forge the QE Identity data to whitelist a malicious or non-Intel Quoting Enclave. This allows the attacker to forge the QE and sign untrusted quotes that the verifier will accept as valid. Effectively, this bypasses the entire remote attestation security model, as the verifier can no longer trust the entity responsible for signing the quotes.

Who is impacted

All deployments utilizing the dcap-qvl library for SGX or TDX quote verification are affected.

Patches

The vulnerability has been patched in dcap-qvl version 0.3.9. The fix implements the missing cryptographic verification for the QE Identity signature and enforces the required checks for MRSIGNER, ISVPRODID, and ISVSVN against the QE Report.

Users of the @phala/dcap-qvl-node and @phala/dcap-qvl-web packages should switch to the pure JavaScript implementation, @phala/dcap-qvl.

Workarounds

There are no known workarounds for this vulnerability. Users must upgrade to the patched version to ensure that QE Identity collateral is properly verified.

Credit

This bug was reported by Rahul Saxena saxenism@bluethroatlabs.com.

---

Release Notes

Phala-Network/dcap-qvl (dcap-qvl)

v0.3.9

Compare Source

Changes in v0.3.9

• Bump version to v0.3.9
• Void a potential panic
• Fix the clippy error
• Fix cli compilation error
• Better code style in verify_isv_report_signature
• update deps
• replace webpki with rustcrypto
• Fix clippy
• Correct tcbcomponents matching logic
• Add sgx_attr validation and test cases
• Update quote.rs
• Update utils.rs
• Update LICENSE
• docs: fix license link
• Add qe_status and platform_status in the verified report
• Add comment on fn is_valid
• Remove tests/js/test_data

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.9

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.9"

v0.3.8

Compare Source

Changes in v0.3.8

• Bump version to 0.3.8
• Revert the breaking change to public API

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.8

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.8"

v0.3.7

Compare Source

Changes in v0.3.7

• v0.3.7
• Enforce some more minor checks
• Fix Python binding for TcbStatus enum
• Fix tests
• Add rejection for Revoked TCB status
• Reject unknown TCB status

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.7

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.7"

v0.3.4

Compare Source

Changes in v0.3.4

• Bump version to 0.3.4
• pckinfo: Output json format
• Add ppid in verification result
• ci: set package name when publishing to npm
• ci: setup npm trusted publisher
• ci: added publish-npm workflow
• ci: added publish_npm

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.4

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.4"

v0.3.3

Compare Source

Changes in v0.3.3

• v0.3.3
• Fix TrailingData(CertRevocationList)
• Bump the rust-dependencies group across 1 directory with 9 updates

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.3

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.3"

v0.3.2

Compare Source

Changes in v0.3.2

• Bump version to 0.3.2
• Remove recursion limit
• feat: added borsh_schema feature
• Add even more traits
• python: Export get_collateral from rust
• chore: Add Clone trait to several types
• feat: support quote verification for wasm32-unknown-unknown without I/O (#​21)
• feat: implement borsh serialization for public types (#​20)
• Bump the github-actions group with 2 updates
• Update LICENSE
• Update collateral.rs

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.2

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.2"

v0.3.0

Compare Source

Changes in v0.3.0

• Fix wheels linux abi
• Remove unused/untested workflows
• python: Fix windows test failure
• python: min ver 3.8
• python: try fix windows build
• python: Fix windows build
• Cargo fmt
• python: Fix windows build
• python: Update build scripts
• Support min python 3.7
• Refactor Python bindings to remove async functions and add collateral API
• Fix venv issue in the test script
• Add Python type stubs (.pyi) for better IDE support and type checking
• Add comprehensive GitHub Actions workflows for Python package publishing
• Update README_Python.md for PyPI users
• Upgrade PyO3 to 0.25 and replace pyo3-asyncio with pyo3-async-runtimes
• Format code with black and cargo fmt
• Add async functions and abi3 compatibility to Python bindings
• Add Python bindings
• cli: v0.3.1
• Add cli check in Github Action
• cli: Fix compilation error
• Bump version to 0.3.0
• Remove timeout arg
• Add get_collateral_for_fmspc
• Improve attributes checking
• Fix default pccs_url
• Support for CRL checks
• Better way to construct URLs to get collateral
• Revert "Remove unused crls from collateral"
• Add comment for DCAP_SERVER_ROOTS
• Ensure entire 8bits TUD to be zero
• Check root certs in tests
• mannually import wasm in esbuild
• remove wasm manually import
• add vite and esbuild demo
• refactor not using JSON.stringify in verify
• roll back to previous version of parsing quote_collateral
• update package version and add repository url which will be add to node/web js package.json
• simple the quote_collateral parsing
• add js get_collateral for node and web and update verify_quote for newly add js_get_collateral
• add get_collateral and fix the old verify_quote

Python Package

This release includes Python wheels for multiple platforms:

• Linux: x86_64, x86, aarch64, armv7, s390x, ppc64le
• Windows: x64, x86
• macOS: x86_64, aarch64 (Apple Silicon)

Install with: pip install dcap-qvl==0.3.0

Rust Crate

Add to your Cargo.toml:

dcap-qvl = "0.3.0"

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.