Skip to main content

Candid upgrade required due to important security advisory

Candid security advisory

Hello developers,

Today, we have an important security update to share. Recently, the DFINITY security team discovered a vulnerability in the Candid Rust library which indicated that the library could be vulnerable to a denial of service (DOS) exploitation, which could degrade canister performance. This security advisory does not affect Motoko canisters.

To address this security flaw, a patch has been applied in the latest Candid Rust library update, 0.9.10. It is strongly advised that all canisters that are running Candid 0.9.0 and older upgrade to the latest version of the Candid Rust library (0.9.10).

For asset canisters that are bundled with dfx running dfx versions 0.14.4 and older, it is strongly advised to upgrade to the latest version of dfx, 0.15.2, then redeploy the asset canister(s).

It is encouraged that the ICP community report any bugs or security issues found responsibly. You can refer to the Bug Bounty program for more information.

All affected canisters that are developed and maintained by DFINITY have been upgraded to the latest version.

A GitHub security advisory has been published and can be viewed here.

If you have questions, the forum post discussion for this security advisory can be found here.

Additional resources can be found here: