Fluid Attacks Database

Description

alloy-dyn-abi has DoS vulnerability on alloy_dyn_abi::TypedData hashing

Impact

An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().

Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

Patches

The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.

Workarounds

There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.

Reported by

Christian Reitter & Zeke Mostov from Turnkey

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	alloy-dyn-abi	>=0 <0.8.26 \|\| >=1.0.0 <1.4.1	0.8.26, 1.4.1

Aliases

1. CVE-2025-623702. NVD-2025-623703. OSV-2025-623704. GHSA-pgp9-98jm-wwq25. GCVE-2025-62370

References

1. https://github.com/alloy-rs/core/security/advisories/GHSA-pgp9-98jm-wwq22. https://github.com/alloy-rs/core/commit/7823e9af8c20e9fcfb5360f5eafd891c457ebccf3. https://crates.io/crates/alloy-dyn-abi/0.8.264. https://crates.io/crates/alloy-dyn-abi/1.4.15. https://rustsec.org/advisories/RUSTSEC-2025-0073.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.