Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloydynabi::TypedData could lead to a denial-of-service (DoS) via eip712signinghash(). Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible. The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-248"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62370.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.8.26"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.4.1"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}