21 matches found
MAL-2026-4804 Malicious code in @leviyuan/lodestar (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba The package ships a lifecycle-invoked script dist/lodestar-setup.js that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with...
Malicious code in @leviyuan/lodestar (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba The package ships a lifecycle-invoked script dist/lodestar-setup.js that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with...
EUVD-2022-3638
Malicious code in bioql PyPI...
CVE-2022-29219
Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...
Inefficient Compression
@lodestar/reqresp is vulnerable to Inefficient Compression. The vulnerability is due to inefficient compression in the snappy framing over SSZ encoded messages, allows an attacker to send specially crafted messages that exploit these inefficiencies, potentially causing resource exhaustion, system...
GHSA-M9C9-MC2H-9WJW Lodestar snappy checksum issue
Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork network partition requiring hard fork Lodestar does not verify checksum in snappy framing uncompressed chunks. Vulnerability Details In Req/Resp protocol the messages are encoded by...
Lodestar snappy checksum issue
Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork network partition requiring hard fork Lodestar does not verify checksum in snappy framing uncompressed chunks. Vulnerability Details In Req/Resp protocol the messages are encoded by...
@chainsafe/lodestar (>=1.10.0-dev.00b94f3802 <=1.25.0-rc.0), @lodestar/beacon-node (>=1.10.0-dev.00b94f3802 <=1.25.0-rc.0) potentially affected by unknown CVE via @lodestar/reqresp (>=1.10.0-dev.a208afb45a <=1.25.0-rc.0)
@lodestar/reqresp NPM version =1.10.0-dev.a208afb45a, =1.10.0-dev.00b94f3802, =1.10.0-dev.00b94f3802, =1.25.0-rc.0 Source cves: unknown CVE Source advisory: OSV:GHSA-M9C9-MC2H-9WJW...
GHSA-53RV-HCVM-RPP9 Lodestar snappy decompression issue
Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork network partition requiring hard fork Description Lodestar client may fail to decode snappy framing compressed messages. Vulnerability Details In Req/Resp protocol the message are...
@chainsafe/lodestar (>=1.10.0-dev.00b94f3802 <=1.25.0-rc.0), @lodestar/beacon-node (>=1.10.0-dev.00b94f3802 <=1.25.0-rc.0) potentially affected by unknown CVE via @lodestar/reqresp (>=1.10.0-dev.a208afb45a <=1.25.0-rc.0)
@lodestar/reqresp NPM version =1.10.0-dev.a208afb45a, =1.10.0-dev.00b94f3802, =1.10.0-dev.00b94f3802, =1.25.0-rc.0 Source cves: unknown CVE Source advisory: OSV:GHSA-53RV-HCVM-RPP9...
Lodestar snappy decompression issue
Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork network partition requiring hard fork Description Lodestar client may fail to decode snappy framing compressed messages. Vulnerability Details In Req/Resp protocol the message are...
Denial Of Service (DoS)
@chainsafe/lodestar is vulnerable to denial of service. The vulnerability exists because the library uses the uint64 values as native javascript numbers, allowing an attacker to crash the application by providing large uint64 values greater than 2^53 through the maliciously-crafted AttesterSlashi...
@chainsafe/lodestar-cli (>=0.12.0 <=0.28.2-dev.18) potentially affected by CVE-2022-29219 via @chainsafe/lodestar (>=0.12.0 <=0.28.2-dev.18)
@chainsafe/lodestar NPM version =0.12.0, =0.12.0, =0.28.2-dev.18 Source cves: CVE-2022-29219 Source advisory: OSV:GHSA-CVJ7-5F3C-9VG9...
AttesterSlashing number overflow
Impact Possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Since we represent uint64 values as native javascript numbers, there is an issue when those variables with large greater than 2^53 uint64 values are included on chain. In those...
GHSA-CVJ7-5F3C-9VG9 AttesterSlashing number overflow
Impact Possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Since we represent uint64 values as native javascript numbers, there is an issue when those variables with large greater than 2^53 uint64 values are included on chain. In those...
CVE-2022-29219
Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...
Code injection
Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...
CVE-2022-29219 Integer Overflow in Lodestar
Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...
CVE-2022-29219
Lodestar (TypeScript Ethereum Consensus) before v0.36.0 is vulnerable due to using native JavaScript numbers for uint64 values in AttesterSlashing/ProposerSlashing, causing rounding errors for large values (>2^53). This can yield consensus splits or valid Slashing being treated as invalid, pot...
CVE-2022-29219 Integer Overflow in Lodestar
Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain. Because the developers represent uint64 values as native javascript...