Homepage
About Snyk

Always-Incorrect Control Flow Implementation Affecting evm package, versions <0.31.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.22% (61st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-EVM-1759748
  • published 20 Oct 2021
  • disclosed 19 Oct 2021
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 19 Oct 2021

CVE-2021-41153 Open this link in a new tab
CWE-670 Open this link in a new tab

How to fix?

Upgrade evm to version 0.31.0 or higher.

Overview

evm is a SputnikVM: Rust Ethereum Virtual Machine Implementation.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation as the opcode's condition is checked after the destination validity check, while according to Geth and OpenEthereum, the condition check should happen before the destination validity check.

This is an high severity security advisory if using evm crate for Ethereum mining.

This is a low severity security advisory if using evm crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

9.8 critical