quinn-proto 0.11.12 has CVE-2026-31812 (HIGH) — needs bump to >= 0.11.14

[christiantill]

Summary

The vendored Cargo.lock in the Rust bridge ships quinn-proto 0.11.12, which is affected by CVE-2026-31812 (unauthenticated remote DoS via panic in QUIC transport parameter handling).

The fix is quinn-proto >= 0.11.14.

Both temporalio 1.22.0 and 1.23.0 on PyPI include the vulnerable version.

Steps to reproduce

pip install temporalio==1.23.0
# Inspect the vendored lockfile:
python -c "
import zipfile, sysconfig, pathlib
p = pathlib.Path(sysconfig.get_paths()['purelib']) / 'temporalio' / 'bridge' / 'Cargo.lock'
import re
for m in re.finditer(r'name = \"quinn-proto\"\nversion = \"([^\"]+)\"', p.read_text()):
    print(f'quinn-proto = {m.group(1)}')
"
# Output: quinn-proto = 0.11.12

Expected

quinn-proto >= 0.11.14 in the vendored Cargo.lock.

References

• CVE: https://avd.aquasec.com/nvd/cve-2026-31812
• Previous bump: Upgrade quinn-proto version to fix security vulnerability #651 (1.8.0 release)

[sophie-ty]

Hi. Thanks for the quick fix. Can you estimate, when there will be a release with this fix? As it is of high vulnerability. Thanks alot.

[tconley1428]

Probably next week or so, but we don't actually use QUIC, there is no real vulnerability from this dependency.