CVE-2024-30253: @solana/web3.js vulnerable to Denial of Service attack via Message/Transaction object deserialization

April 17, 2024

Using particular inputs with @solana/web3.js will result in memory exhaustion (OOM).

If you have a server, client, mobile, or desktop product that accepts untrusted input for use with @solana/web3.js, your application/service may crash, resulting in a loss of availability.

References

github.com/advisories/GHSA-8m45-2rjm-j347
github.com/solana-labs/solana-web3.js
github.com/solana-labs/solana-web3.js/commit/77d935221a4805107b20b60ae7c1148725e4e2d0
github.com/solana-labs/solana-web3.js/security/advisories/GHSA-8m45-2rjm-j347
nvd.nist.gov/vuln/detail/CVE-2024-30253

Code Behaviors & Features

Detect and mitigate CVE-2024-30253 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →