GHSA-f8qm-hmm3-fv7f – namada-apps

Package

Manager: cargo
Name: namada-apps
Vulnerable Version: =1.0.0 || >=1.0.0 <1.1.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: N/A pctlN/A

Details

Namada-apps allows Excessive Computation in Mempool Validation ### Impact A malicious transaction may cause an expensive computation in mempool validation. A transaction with multiple repeated sections causes the section hash calculation used for signature validation to grow exponentially (and potentially even cubic) in proportion to number of sections. This may be used to significantly slow down operation of nodes. ### Patches This issue has been patched in apps version 1.1.0. The transaction sections are now being checked for uniqueness and the number of permitted sections contained in a single transaction has been limited to 10,000. ### Workarounds There are no workarounds and users are advised to upgrade.

Metadata

Created: 2025-02-20T20:34:04Z
Modified: 2025-02-20T20:34:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-f8qm-hmm3-fv7f/GHSA-f8qm-hmm3-fv7f.json
CWE IDs: ["CWE-770"]
Alternative ID: N/A
Finding: F067
Auto approve: 1