Background
cargo audit reports two MEDIUM advisories on hickory-proto 0.25.2, pulled in transitively via libp2p-mdns:
- RUSTSEC-2026-0118 — NSEC3 unbounded loop (CPU exhaustion via crafted DNS message)
- RUSTSEC-2026-0119 — O(n²) name compression CPU exhaustion
Exposure
Validators are firewalled per project_sentry_node_architecture.md (signer-only, behind firewall, mdns disabled in production). Public RPC fullnodes also bundle the lib but don't expose mDNS.
Realistic attack surface: LAN-attached attacker on the same broadcast domain as a validator. Production validator-host LANs are operator-only — exposure is effectively zero today.
Why we can't bump now
No upstream fix in the libp2p tree yet. libp2p-mdns 0.46.x still pins hickory-proto = "0.25". Once libp2p publishes a release that uses hickory ≥ 0.26.1, bump and verify with cargo audit clean.
Workaround in the meantime
Keep mDNS disabled on production validator configs. Verify with:
ssh vpsX 'docker exec sentrix-foundation env | grep -i mdns' # should be empty / disabled
Action
Watch upstream:
When hickory 0.26.1+ lands in libp2p:
cargo update -p libp2pcargo audit → confirm 0 findings- Bump workspace version, deploy via halt-all + simul-start
Severity
MEDIUM — track but not deploy-blocking. Verdict from 2026-05-13 internal Sentrix Labs Rust audit: production-OK.
Background
cargo auditreports two MEDIUM advisories onhickory-proto 0.25.2, pulled in transitively vialibp2p-mdns:Exposure
Validators are firewalled per
project_sentry_node_architecture.md(signer-only, behind firewall, mdns disabled in production). Public RPC fullnodes also bundle the lib but don't expose mDNS.Realistic attack surface: LAN-attached attacker on the same broadcast domain as a validator. Production validator-host LANs are operator-only — exposure is effectively zero today.
Why we can't bump now
No upstream fix in the libp2p tree yet.
libp2p-mdns0.46.x still pinshickory-proto = "0.25". Once libp2p publishes a release that uses hickory ≥ 0.26.1, bump and verify withcargo auditclean.Workaround in the meantime
Keep mDNS disabled on production validator configs. Verify with:
Action
Watch upstream:
When hickory 0.26.1+ lands in libp2p:
cargo update -p libp2pcargo audit→ confirm 0 findingsSeverity
MEDIUM — track but not deploy-blocking. Verdict from 2026-05-13 internal Sentrix Labs Rust audit: production-OK.