@antv/auto-chart (>=2.0.0 <=2.1.0-alpha.0), @antv/chart-advisor (>=2.0.0 <=2.1.0-alpha.1) +5 more potentially affected by unknown CVE via @antv/ckb (>=2.0.4 <=2.1.0-alpha.0)

@antv/ckb NPM version =2.0.4, =2.0.0, =2.0.0, =1.2.0-beta.0, =1.0.0-alpha.1, =2.0.0, =2.0.0, =0.0.1, =0.1.0-beta.57 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3860...

EUVD-2022-0528

Malicious code in bioql PyPI...

EUVD-2022-0568

Malicious code in bioql PyPI...

EUVD-2022-0422

Malicious code in bioql PyPI...

CVE-2021-45700

An issue was discovered in the ckb crate before 0.40.0 for Rust. Attackers can cause a denial of service Nervos CKB blockchain node crash via a dead call that is used as a DepGroup...

CVE-2021-45698

An issue was discovered in the ckb crate before 0.40.0 for Rust. A getblocktemplate RPC call may fail in situations where it is supposed to select a Nervos CKB blockchain transaction with a higher fee rate than another transaction...

CVE-2021-45699

An issue was discovered in the ckb crate before 0.40.0 for Rust. Remote attackers may be able to conduct a 51% attack against the Nervos CKB blockchain by triggering an inability to allocate memory for the misbehavior HashMap...

ckb-analyzer (=0.37.0), ckb-network (>=0.37.0 <=0.38.0) +8 more potentially affected by unknown CVE via resolve (>=0.1.2 <=0.2.0)

resolve CARGO version =0.1.2, =0.37.0, =0.37.0, =0.37.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0, =0.3.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0013...

Nervos CKB Permit load cell data from memory

Impact The faulty nodes will reject transactions which calls loadcelldata syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation. Patches 0.35.2, 0.36.1, 0.37.1, 0.38.2...

GHSA-29C2-65RJ-H343 Nervos CKB Permit load cell data from memory

Impact The faulty nodes will reject transactions which calls loadcelldata syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation. Patches 0.35.2, 0.36.1, 0.37.1, 0.38.2...

GHSA-H4C3-5275-VRMG Nervos CKB Pool does not remove the conflicting transactions from the statistics

Impact There's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions. Patches 0.39.2 Workarounds Restart the CKB node...

Nervos CKB Pool does not remove the conflicting transactions from the statistics

Impact There's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions. Patches 0.39.2 Workarounds Restart the CKB node...

GHSA-Q73F-W3H7-7WCC Nervos CKB Transaction which calls syscall load_cell_data_hash has nondeterministic result

Impact Tx-pool verify transaction which inputs' script contains loadcelldatahash is nondeterministic Workarounds Enforce tx-pool ResolvedTrascation inputs' load data is none...

Nervos CKB Transaction which calls syscall load_cell_data_hash has nondeterministic result

Impact Tx-pool verify transaction which inputs' script contains loadcelldatahash is nondeterministic Workarounds Enforce tx-pool ResolvedTrascation inputs' load data is none...

Nervos CKB Snappy decompress length can be very large and causes out of memory error

Impact Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of...

GHSA-3GJH-29FV-8HR6 Nervos CKB Snappy decompress length can be very large and causes out of memory error

Impact Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of...

Nervos CKB Panic on malformed input

Impact CKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages References https://github.com/BurntSushi/rust-snappy/issues/29...

GHSA-WJXC-PJX9-4WVM Nervos CKB Panic on malformed input

Impact CKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages References https://github.com/BurntSushi/rust-snappy/issues/29...

PT-2024-40310 · Ckb · Ckb

Name of the Vulnerable Software and Affected Versions: CKB node versions prior to 0.39.2 Description: A bug in the pool statistics causes conflicting transactions to not be subtracted when removed from the pool, leading to the transaction pool becoming full and rejecting all transactions...

Nervos CKB node panics when processing a block which parent timestamp is too new

Impact Adversary can initiate DOS attack by broadcasting two consecutive blocks with timestamps in the future. Patches Please upgrade to v0.34.1...