CVE-2023-33252 – snarkjs

Package

Manager: npm
Name: snarkjs
Vulnerable Version: >=0 <=0.6.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0009 pctl0.26455

Details

Double spend in snarkjs iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

Metadata

Created: 2023-05-22T00:30:20Z
Modified: 2023-05-30T23:12:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-xp5g-jhg3-3rg2/GHSA-xp5g-jhg3-3rg2.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-xp5g-jhg3-3rg2
Finding: F039
Auto approve: 1