Skip to content

Handling untrusted input can result in a crash, leading to loss of availability / denial of service

High
steveluscher published GHSA-8m45-2rjm-j347 Apr 17, 2024

Package

npm @solana/web3.js (npm)

Affected versions

1.91 - 1.91.2,1.90 - 1.90.1,1.89 - 1.89.1,1.88,1.87 - 1.87.6,1.86,1.85,1.84,1.83,1.82,1.81,1.80,1.79,1.78 - 1.78.7,1.77 - 1.77.3,1.76,1.75,1.74,1.73 - 1.73.4,1.72,1.71,1.70 - 1.70.3,1.69,1.68 - 1.68.1,1.67 - 1.67.2,1.66 - 1.66.5,1.65,1.64,1.63 - 1.63.1,1.62 - 1.62.1,1.61 - 1.61.1,1.60,1.59 - 1.59.1,1.58,1.57,1.56 - 1.56.2,1.55,1.54 - 1.54.1,1.53,1.52,1.51,1.50 - 1.50.1,1.49,1.48,1.47 - 1.47.4,1.46,1.45,1.44 - 1.44.3,1.43 - 1.43.6,1.42,1.41 - 1.41.10,1.40 - 1.40.1,1.39 - 1.39.1,1.38,1.37 - 1.37.2,1.36,1.35 - 1.35.1,1.34,1.33,1.32 - 1.32.2,1.31,1.30 - 1.30.2,1.29 - 1.29.3,1.28,1.27,1.26,1.25,1.24 - 1.24.2,1.23,1.22,1.21,1.20 - 1.20.2,1.19,1.18,1.17,1.16 - 1.16.1,1.15,1.14,1.13,1.12,1.11,1.10 - 1.10.1,1.9 - 1.9.1,1.8,1.7 - 1.7.1,1.6,1.5,1.4,1.3,1.2 - 1.2.7,1.1 - 1.1.1,<=1.0.0

Patched versions

1.0.1,1.10.2,1.11.1,1.12.1,1.1.2,1.13.1,1.14.1,1.15.1,1.16.2,1.17.1,1.18.1,1.19.1,1.20.3,1.21.1,1.22.1,1.23.1,1.24.3,1.25.1,1.26.1,1.27.1,1.28.1,1.2.8,1.29.4,1.30.3,1.31.1,1.3.1,1.32.3,1.33.1,1.34.1,1.35.2,1.36.1,1.37.3,1.38.1,1.39.2,1.40.2,1.41.11,1.4.1,1.42.1,1.43.7,1.44.4,1.45.1,1.46.1,1.47.5,1.48.1,1.49.1,1.50.2,1.51.1,1.5.1,1.52.1,1.53.1,1.54.2,1.55.1,1.56.3,1.57.1,1.58.1,1.59.2,1.60.1,1.61.2,1.6.1,1.62.2,1.63.2,1.64.1,1.65.1,1.66.6,1.67.3,1.68.2,1.69.1,1.70.4,1.71.1,1.72.1,1.7.2,1.73.5,1.74.1,1.75.1,1.76.1,1.77.4,1.78.8,1.79.1,1.80.1,1.81.1,1.8.1,1.82.1,1.83.1,1.84.1,1.85.1,1.86.1,1.87.7,1.88.1,1.89.2,1.90.2,1.9.2,>=1.91.3

Description

Using particular inputs with @solana/web3.js will result in memory exhaustion (OOM).

If you have a server, client, mobile, or desktop product that accepts untrusted input for use with one of the affected versions of @solana/web3.js, your application/service may crash, resulting in a loss of availability. Upgrade to a patched version.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-30253

Weaknesses

No CWEs

Credits