Uncaught Exception Affecting namada-apps package, versions <1.1.0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncaught Exception vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-RUST-NAMADAAPPS-8745560
published25 Feb 2025
disclosed20 Feb 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 20 Feb 2025

NewCWE-248 (opens in a new tab)

How to fix?

Upgrade namada-apps to version 1.1.0 or higher.

Overview

Affected versions of this package are vulnerable to Uncaught Exception through the finalize_block process. An attacker can cause the ledger to crash by initializing a post-genesis validator with a negative commission rate using the --force flag. This is if the validator gets into the consensus set, then when computing PoS inflation inside fn update_rewards_products_and_mint_inflation, an instance of mul_floor returns an Err, causing the process to error.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
High