Skip to content

[CRITICAL] Security Risk: Custom Forks of Critical TLS Libraries from Unverified Branch #240

New issue
New issue
Open
#437
Open
[CRITICAL] Security Risk: Custom Forks of Critical TLS Libraries from Unverified Branch#240
#437
Assignees
mkmks
Labels
bugSomething isn't working
@evmparser

Description

@evmparser
evmparser
opened on Nov 2, 2025

Bug description

The project uses custom forks of critical security libraries from an unverified branch (mkmks/k256) instead of official releases. This poses a significant security risk as these libraries handle TLS/SSL encryption and certificate validation.

Affected Dependencies:

  • rustls - TLS library
  • rcgen - Certificate generation library
  • rustls-webpki - WebPKI certificate validation
  • tokio-rustls - Async TLS wrapper

Location: Cargo.toml (root workspace)

[patch.crates-io]
rustls = { git = "https://github.com/rustls/rustls.git", branch = "mkmks/k256" }
rcgen = { git = "https://github.com/rustls/rcgen.git", branch = "mkmks/k256" }
rustls-webpki = { git = "https://github.com/rustls/rustls.git", branch = "mkmks/k256" }
tokio-rustls = { git = "https://github.com/rustls/rustls.git", branch = "mkmks/k256" }

Severity: CRITICAL

To Reproduce

  1. Open Cargo.toml in the repository root
  2. Review the [patch.crates-io] section
  3. Notice all TLS-related libraries are patched from an unofficial "mkmks/k256" branch
  4. These forks are not officially released versions and may contain unreviewed security changes

Expected behavior

The project should use:

  • Official released versions from crates.io whenever possible
  • If custom patches are required, they should be:
    • From official maintainer branches
    • Properly documented explaining why the fork is necessary
    • Regularly updated to incorporate upstream security fixes
    • Reviewed by security experts

Suggested Fix

  1. Immediate action: Document why these specific forks are required
  2. Short-term: Work with upstream maintainers to merge necessary changes into official releases
  3. Long-term: Migrate to official crates.io versions
  4. Security review: Have these forked dependencies audited for security issues

Additional Context

Using custom forks of security-critical cryptographic libraries significantly increases the attack surface and makes it difficult to receive security updates. This is especially concerning for a Key Management System that must maintain the highest security standards.

  • Would you like to work on a fix? [y/n] Yes, happy to help document the rationale or assist in migration planning.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions