This page tracks public GitHub issues filed as security reports or mirrors of private advisories. It shows whether each report is fixed, documented, not a production vulnerability, duplicate, or still open.
For new exploitable vulnerabilities, use the private reporting path in SECURITY.md. Do not include exploit details in public issues.
Status snapshot: 2026-06-30. General support, process, consolidation, and feature-request issues are excluded. Related hardening and roadmap trackers are listed separately.
Use these outcomes when reading public security reports and already-public findings:
| Outcome | Meaning |
|---|---|
| Valid report, fixed | The report was valid and was addressed by a code or configuration change |
| Valid report, documented | The report describes real behavior, but the project response is documentation or threat-model clarification rather than a code change |
| Valid hardening, open | The report is valid defense-in-depth work and remains open |
| Valid roadmap, open | The report identifies security-related design work that needs a compatibility or migration plan |
| Not a production vulnerability | The report does not compromise supported production deployments under the documented threat model |
| Duplicate | The report repeats another public issue or private advisory response |
These issues were filed as concrete vulnerability reports, security audit findings, or public mirrors of private advisories. Some resulted in fixes. Some are documented design choices or not production vulnerabilities.
| Issue | Status | Outcome | Project response |
|---|---|---|---|
#549 Disk encryption key collision when no_instance_id=true and HKDF context ambiguity |
Closed | Valid report, documented | no_instance_id=true intentionally shares disk keys across instances, and the HKDF inputs have fixed lengths. No code fix has been applied. Zero-padding for the unset instance ID remains optional hardening |
| #550 Compose hash computed on raw bytes, not canonicalized JSON | Closed | Valid report, documented | dstack treats compose JSON as an opaque byte sequence. Any byte-level change is a different measured application configuration. No code fix was applied |
#551 Shell injection via init_script and pre_launch_script in compose |
Closed | Valid report, documented | Scripts are application-owned code and are measured as part of app configuration. Verifiers must treat script contents as part of the application trust decision. No code fix was applied |
| #552 Static HKDF salt and no key versioning | Open | Valid roadmap, open | Static salt is acceptable with high-entropy KMS root material and explicit context. No code fix has been applied. Key versioning and rotation require a broader compatibility design |
#553 derive_dh_secret hashes PKCS#8 DER |
Closed | Valid report, fixed | #603 stabilizes the P-256 private key encoding used for derivation |
| #554 Signature concatenation without length prefixes enables collision | Closed | Valid report, fixed | #604 enforces the 20-byte app_id length in CVM setup |
#555 LUKS header TOCTOU between validation and luksOpen |
Closed | Not a production vulnerability | The setup code validates and opens the same in-memory LUKS header. No code fix was applied |
#556 Disk encryption key and WireGuard key visible in /proc/PID/cmdline |
Open | Valid hardening, open | Tracks removal of transient command-line exposure for secret-bearing setup commands |
| #557 Runtime event log writable by any VM process | Closed | Valid report, fixed | #602 restricts runtime event-log permissions |
#558 Path traversal in KMS remove_cache |
Closed | Valid report, fixed | #601 validates cache paths before deletion |
#559 Zero mr_config_id bypasses verification and weakens mr_aggregated identity |
Closed | Not a production vulnerability | Zero mr_config_id remains an unset-value compatibility case, and configuration changes are still reflected through RTMR-based measurements. No code fix was applied |
| #560 Admin token comparison not constant-time | Closed | Not a production vulnerability | The comparison is over a SHA-256 digest of a high-entropy token, not the raw token. No code fix was applied |
| #561 KMS TLS client certificates are non-mandatory in Rocket config | Closed | Valid report, documented | The TLS listener allows unauthenticated bootstrap, temp-CA bootstrap, and public endpoints. GetTempCaCert returns temp CA private material for bootstrap. App/KMS key release requires verified caller attestation, and certificate signing verifies the CSR signature and embedded attestation. No code fix was applied |
| #562 Configfs path overridable through an environment variable | Closed | Not a production vulnerability | A process that can choose its own quote path is already inside the measured CVM behavior. No code fix has been applied. A production guard for DCAP_TDX_QUOTE_CONFIGFS_PATH remains possible hardening |
#563 simulate_quote runtime path in production guest agent |
Closed | Valid report, fixed | #582 isolates the simulator into a dedicated binary |
#564 GetAppEnvEncryptPubKey unauthenticated app ID enumeration |
Closed | Not a production vulnerability | The RPC returns a public encryption key before an app has an attested identity, and app_id is not treated as secret. No code fix was applied |
#565 Infinite loop in wait_for_generation_change |
Closed | Valid report, fixed | #596 bounds the ConfigFS generation wait loop |
| #566 Gzip decompression bomb in RA-TLS cert extension | Closed | Valid report, fixed | #595 bounds decompressed RA-TLS event-log extension size |
#567 Unbounded allocation in VecOf decode |
Closed | Valid report, fixed | #570 caps VecOf decode length and pre-allocation |
#568 Webhook URL leaked via println! in production code |
Closed | Valid report, fixed | Fixed before the issue was triaged by removing the unsafe log output in 79b8b8d2 |
#605 Guest agent derives identical key material for ed25519 and secp256k1 |
Closed | Valid report, documented | Existing derived key bytes are preserved. Docs state that path is the domain separator and callers must use algorithm-specific paths when they require independent keys. No code fix was applied |
| #606 App keys and decrypted env files world-readable | Open | Valid hardening, open | Tightening secret-bearing file writes to owner-only permissions (0600) is valid defense-in-depth work with no expected compatibility cost |
#607 gateway_app_id = "any" disables gateway identity pinning |
Closed | Not a production vulnerability | gateway_app_id is KMS contract configuration and is publicly auditable. Production deployments must not use "any". No code fix was applied |
#608 auth_api.type = "dev" allows all authorization |
Closed | Not a production vulnerability | Dev auth is measured runtime configuration, not a production mode. Production must use webhook/on-chain authorization. No code fix was applied |
#609 quote_enabled = false bypasses attestation |
Closed | Not a production vulnerability | The flag is measured in runtime configuration and should fail production attestation policy. No code fix was applied |
| #610 Unauthenticated bootstrap endpoint can overwrite root keys | Closed | Not a production vulnerability | The bootstrap endpoint does not accept caller-supplied root key material. Root keys are generated server-side, and the operator chooses which result to publish. No code fix was applied |
#611 Unauthenticated /finish endpoint can shut down KMS onboard service |
Closed | Not a production vulnerability | The onboard service is a short-lived setup flow. Premature shutdown causes operator retry, not persistent compromise or data loss. No code fix was applied |
#612 Gateway register_cvm prefers stale app_info over live attestation |
Closed | Not a production vulnerability | Cert-embedded app_info is extracted from attestation and signed by KMS. Preferring it avoids redundant extraction and is not a trust bypass. No code fix was applied |
| #613 10-year default certificate validity undermines attestation freshness | Closed | Not a production vulnerability | RA-TLS certificates embed attestation evidence and verifiers validate that evidence during connection handling. Freshness policy belongs in verifier policy, not only certificate expiry. No code fix was applied |
#614 VMM no_tee flag allows launching VMs without TDX protection |
Closed | Not a production vulnerability | no_tee VMs cannot produce valid TDX quotes and cannot join the production trust chain unless other development-only checks are also disabled. No code fix was applied |
#615 Host-supplied sys_config not measured but influences security-critical behavior |
Closed | Not a production vulnerability | Network endpoints are not trust anchors. KMS, gateway, and PCCS trust decisions rely on cryptographic verification, not host-supplied URLs. No code fix was applied |
| #616 Host-controlled Docker registry mirror enables image substitution attacks | Closed | Not a production vulnerability | Registry mirrors are untrusted transport. Digest-pinned image references and measured compose configuration protect against substitution. No code fix was applied |
| #617 Guest agent exposes raw private keys to all local processes | Closed | Not a production vulnerability | dstack treats a CVM as one application trust domain. It does not provide per-container key isolation inside the same measured application. No code fix was applied |
| #618 Disk encryption disableable via kernel cmdline, not measured in RTMR | Closed | Not a production vulnerability | The kernel command line is measured into RTMR2, so changing dstack.storage_encrypted=false changes attestation evidence. No code fix was applied |
#619 KMS get_temp_ca_cert returns temp CA private key without authentication |
Closed | Duplicate | The report duplicates the private advisory response for the temp CA bootstrap flow |
These issues affect security architecture, future verification behavior, operational hardening, or security documentation. They are intentionally separated from the report table because they are not vulnerability reports.
| Issue | Status | Type | Scope |
|---|---|---|---|
| #113 Alternative to RA-TLS | Open | Architecture roadmap | Tracks possible application-level attestation or pre-registration approaches |
| #114 On-chain logs for KMS replication | Open | Auditability roadmap | Tracks transparency for KMS onboarding and replication events |
| #115 Censorship resistance in the KMS | Open | Governance roadmap | Tracks how KMS instances should prove an up-to-date chain view after de-registration or policy changes |
| #411 Adopt RFC 8785 JCS for canonical compose hash calculation | Open | Measurement roadmap | Tracks a possible future canonical hash scheme. Current raw-byte hashing is intentional and recorded in #550 |
#745 secure_time: true cannot sync because guest chrony lacks NTS |
Open | Security feature bug | Tracks a secure-time boot failure. The fix is in meta-dstack#76 |
| #746 Harden AMD SEV-SNP KDS collateral fetch | Open | Availability hardening | Tracks async client, timeout, and caching hardening for SNP KDS collateral fetch. Verification remains fail-closed |