Skip to content

fix(deps): bump bcrypt to 0.19.2 for RUSTSEC-2026-0199#416

Merged
daniel-thom merged 1 commit into
mainfrom
fix/bcrypt-rustsec-2026-0199
Jul 4, 2026
Merged

fix(deps): bump bcrypt to 0.19.2 for RUSTSEC-2026-0199#416
daniel-thom merged 1 commit into
mainfrom
fix/bcrypt-rustsec-2026-0199

Conversation

@daniel-thom

Copy link
Copy Markdown
Collaborator

Summary

Bumps bcrypt from 0.19.1 to 0.19.2 (lockfile-only) to resolve RUSTSEC-2026-0199, which is failing the cargo-deny Security check on main and every open PR.

The vulnerability

bcrypt::verify(password, hash) and HashParts::from_str(hash) panic in str::slice_error_fail when given a 60-byte &str containing a multi-byte UTF-8 character at certain byte positions. The crate is #![forbid(unsafe_code)], so impact is limited to denial-of-service (no memory corruption) whenever an attacker-controlled hash string reaches those functions.

Change

The manifest already declares bcrypt = "0.19", so this is a Cargo.lock-only update:

cargo update -p bcrypt --precise 0.19.2

This is repo-wide (not tied to any feature branch), so it is raised directly against main. Once merged, other open PRs go green on the Security check after a rebase.

🤖 Generated with Claude Code

bcrypt 0.19.1 panics in `bcrypt::verify` / `HashParts::from_str` when given
a 60-byte hash string containing a multi-byte UTF-8 character at certain byte
positions (RUSTSEC-2026-0199). This is a denial-of-service if an
attacker-controlled hash reaches those functions. The fix ships in bcrypt
0.19.2, which rejects non-ASCII hash bytes up front. The manifest already
allows it (`bcrypt = "0.19"`), so this is a lockfile-only bump.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@daniel-thom
daniel-thom merged commit 06e5d25 into main Jul 4, 2026
9 checks passed
@daniel-thom
daniel-thom deleted the fix/bcrypt-rustsec-2026-0199 branch July 4, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant