Interesting. The vulnerability is a TOCTOU one that I have a paper about:

https://www.researchgate.net/publication/2462817_Checking_for_Race_Conditions_in_File_Accesses?_tp=eyJjb250ZXh0Ijp7InBhZ2UiOiJzY2llbnRpZmljQ29udHJpYnV0aW9ucyIsInByZXZpb3VzUGFnZSI6bnVsbH19

But it is in a function that gossip isn't triggering . Gossip uses tempdir 0.3.7 which relies on an old remove_dir_all crate with the bug. But we don't call any remove directory functionality in tempdir, and tempdir hasn't been updated. So we are safe and can't even update right now if we wanted to.