PRESENTS Dapr Fuzzing Audit In collaboration with the Dapr project maintainers and The Linux Foundation Authors Adam Korczynski David Korczynski Date: 30th report is licensed under Creative Commons 4.0 (CC BY 4.0) CNCF security and fuzzing audits This report details a fuzzing audit commissioned by the CNCF and the engagement is part of the broader efforts CNCF has been investing in security audits, fuzzing and so�ware supply chain security that has helped proactively discover and fix hundreds of issues. Fuzzing is a proven technique for finding security

contents Table of contents 1 Executive summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive the code assets in scope. 2. Do a manual code audit of the code assets in scope. 3. Evaluate Daprs fuzzing suite against the formalised threat model. 4. Perform a SLSA review of Dapr. Our overall assessment summarised 7 security issues found All issues except for 1 have been fixed Five fuzzers added to Daprs fuzzing suite 1 CVE assigned Threat model included in report SLSA compliance review included in report