rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: RUSTSEC-2025-0073 (alloy-dyn-abi), update to description and credit (#2423)

Browse Source
This commit is contained in:
zerosnacks
2025-10-15 15:11:39 +02:00
committed by GitHub
parent 49bc507e4c
commit 218a772dc1
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crates/alloy-dyn-abi/RUSTSEC-2025-0073.md
View File

@@ -18,10 +18,12 @@ patched = [">=0.8.26, <1.0.0", ">=1.4.1"]
# DoS vulnerability on `alloy_dyn_abi::TypedData` hashing
An uncaught panic triggered by malformed input to `alloy_dyn_abi::TypedData` could lead to a denial-of-service (DoS) when the library is used in auto-restarting software.
An uncaught panic triggered by malformed input to `alloy_dyn_abi::TypedData` could lead to a denial-of-service (DoS) via `eip712_signing_hash()`.
Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.
The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version [v1.4.1](https://crates.io/crates/alloy-dyn-abi/1.4.1) and backported to [v0.8.26](https://crates.io/crates/alloy-dyn-abi/0.8.26).
There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.
Reported by [Christian Reitter](https://github.com/cr-tk) & [Zeke Mostov](https://github.com/emostov).
Reported by [Christian Reitter](https://github.com/cr-tk) & [Zeke Mostov](https://github.com/emostov) from [Turnkey](https://www.turnkey.com/).