Homepage
About Snyk

Always-Incorrect Control Flow Implementation Affecting evm package, versions <0.31.0

0.0
high

Snyk CVSS

    Attack Complexity High
    Scope Changed
    Confidentiality High
    Integrity High

    Threat Intelligence

    EPSS 0.2% (57th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-EVM-1759748
  • published 20 Oct 2021
  • disclosed 19 Oct 2021
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 19 Oct 2021

CVE-2021-41153 Open this link in a new tab
CWE-670 Open this link in a new tab

How to fix?

Upgrade evm to version 0.31.0 or higher.

Overview

evm is a SputnikVM: Rust Ethereum Virtual Machine Implementation.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation as the opcode's condition is checked after the destination validity check, while according to Geth and OpenEthereum, the condition check should happen before the destination validity check.

This is an high severity security advisory if using evm crate for Ethereum mining.

This is a low severity security advisory if using evm crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory.

References