Summary
The relay_rpc crate depends on jsonwebtoken = "8.1", which pulls in jsonwebtoken 8.3.0. This version is affected by CVE-2026-25537 (Type Confusion leading to potential authorization bypass, severity: medium). The fix requires upgrading to jsonwebtoken >= 10.3.0.
This also transitively resolves a second vulnerability: ring 0.16.20 (CVE-2025-4432, AES panic with overflow checking, severity: medium), since jsonwebtoken 10.x uses ring 0.17.x.
Affected crate
relay_rpc/Cargo.toml currently specifies:
Recommended fix
Upgrade to:
The core API surface (DecodingKey, Validation, Algorithm, decode(), errors::ErrorKind, jwk::Jwk) is largely preserved in 10.x. The main breaking change is that 10.x requires explicitly selecting a crypto backend feature (though the default features include one).
Impact
Downstream consumers like reown-com/yttrium pin relay_rpc via git rev and inherit these vulnerabilities transitively. Upgrading would resolve 2 dependabot alerts for all downstream users.
References
Summary
The
relay_rpccrate depends onjsonwebtoken = "8.1", which pulls injsonwebtoken 8.3.0. This version is affected by CVE-2026-25537 (Type Confusion leading to potential authorization bypass, severity: medium). The fix requires upgrading tojsonwebtoken >= 10.3.0.This also transitively resolves a second vulnerability:
ring 0.16.20(CVE-2025-4432, AES panic with overflow checking, severity: medium), sincejsonwebtoken 10.xusesring 0.17.x.Affected crate
relay_rpc/Cargo.tomlcurrently specifies:Recommended fix
Upgrade to:
The core API surface (
DecodingKey,Validation,Algorithm,decode(),errors::ErrorKind,jwk::Jwk) is largely preserved in 10.x. The main breaking change is that 10.x requires explicitly selecting a crypto backend feature (though the default features include one).Impact
Downstream consumers like reown-com/yttrium pin
relay_rpcvia git rev and inherit these vulnerabilities transitively. Upgrading would resolve 2 dependabot alerts for all downstream users.References