CVE-2023-33252

EUVD-2023-1652
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Affected Products (NVD)
VendorProductVersion
0kimssnarkjs
𝑥
≤ 0.6.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags