26 matches found
Network Impact of Post-Quantum Certificate Chain Sizes on Time to First Byte in TLS Deployments
Post-Quantum Cryptography PQC is a rapidly growing deployment challenge as cryptographically relevant quantum computers CRQC continue to advance, leaving traditional cryptographic algorithms used in X.509 vulnerable to attack. However, PQC introduces significant deployment challenges in real-worl...
Merkle Tree Certificate Post-Quantum PKI for Kubernetes and Cloud-Native 5G/B5G Core
Post-quantum signature schemes such as ML-DSA-65 produce signatures of 3,309 bytes and public keys of 1,952 bytes over 50 times larger than classical Ed25519. In TLS-authenticated environments like Kubernetes control planes and 5G Core networks, where every inter-component connection is mutually...
Google Develops Merkle Tree Certificates to Enable Quantum-Resistant HTTPS in Chrome
Google has announced a new program in its Chrome browser to ensure that HTTPS certificates are secure against the future risk posed by quantum computers. "To ensure the scalability and efficiency of the ecosystem, Chrome has no immediate plan to add traditional X.509 certificates containing...
ShieldMMU: Detecting and Defending against Controlled-Channel Attacks in Shielding Memory System
Intel SGX and hypervisors isolate non-privileged programs from other software, ensuring confidentiality and integrity. However, side-channel attacks continue to threaten Intel SGX's security, enabling malicious OS to manipulate PTE present bits, induce page faults, and steal memory access traces...
SUSE CVE-2025-49600
In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...
DEBIAN-CVE-2025-49600
In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...
Malicious code in oz-merkle-tree (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 732a4768703da4c9eb31465258c2df9b93dcfcf2811b78c72b62d9dbf9b10053 The package is designed to exfiltrate basic data, like hostname and OS details, as well as collect information about the stacktrace it's imported from. ---...
MAL-2024-10100 Malicious code in oz-merkle-tree (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 732a4768703da4c9eb31465258c2df9b93dcfcf2811b78c72b62d9dbf9b10053 The package is designed to exfiltrate basic data, like hostname and OS details, as well as collect information about the stacktrace it's imported from. ---...
The merkle tree might be revoked again after being used to claim rewards.
Lines of code Vulnerability details Impact The merkle tree might be revoked again after being used to claim rewards. Proof of Concept The governor can revoke the merkle tree using revokeTree. function revokeTree external onlyGovernorOrGuardian if disputer != address0 revert UnresolvedDispute;...
ONLY THE LAST DISPUTE IS CONSIDERED UNRESOLVED IN THE Distributor CONTRACT
Lines of code Vulnerability details Impact The Distributor.disputeTree function is used to freeze the Merkle tree update until the dispute is resolved. This is done by setting the disputer state variable to msg.sender. disputeTree is an external function which can be called by anyone by providing...
Poor detection of disputed trees allows claiming tokens from a disputed tree
Lines of code Vulnerability details Targets Impact Users can claim rewards from a Merkle tree that's being disputed. This can potentially lead to loss of funds since a malicious trusted EOA can claim funds from a malicious tree while it's being disputed. Proof of Concept The...
Improper Input Validation
@openzeppelin/contracts and @openzeppelin/contracts-upgradeable are vulnerable to Improper Input Validation. If a contract uses multiproofs for verification and the merkle tree processing includes a node with value 0 at depth 1, then the contract may be insecure. Balanced trees with three or fewe...
OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
Impact When the verifyMultiProof, verifyMultiProofCalldata, processMultiProof, or processMultiProofCalldata functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for...
CVE-2023-34459
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that...
CVE-2023-34459 OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that...
CVE-2023-34459
OpenZeppelin Contracts (versions 4.7.0–4.9.1) are affected by a multiproof forgery issue when using verifyMultiProof/verifyMultiProofCalldata/processMultiProof/processMultiProofCalldata. If the merkle tree includes a node with value 0 at depth 1 under the root, a adversarial or certain benign tre...
Groupbuy: Construction of merkle tree allows some unintended IDs to be bought
Lines of code Vulnerability details Impact In GroupBuy.purchase, when no proof is provided, it is required that the provided token ID is equal to the stored merkleRoot: if purchaseProof.length == 0 // Hashes tokenId to verify merkle root if proof is empty if bytes32tokenId != merkleRoot revert...
GHSA-672P-M5JQ-MRH8 Insufficient Verification of Proofs generated by the immudb server in client SDK.
Impact In certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list o...
Insufficient Verification of Proofs generated by the immudb server in client SDK.
Impact In certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list o...
Incorrect implementation of the MerkleVerifier.sol library
Lines of code Vulnerability details Impact The MerkleVerifier results in an incorrect verification of the Merkle Tree. Description Using a simple test case from and deploying the contracts with MerkleVerifier.sol. We can see that the results differs when attempting to verify the Merkle Tree. Test...