GHSA-9mfc-chwf-7whf

Suggest an improvement
Source
https://github.com/advisories/GHSA-9mfc-chwf-7whf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-9mfc-chwf-7whf/GHSA-9mfc-chwf-7whf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9mfc-chwf-7whf
Published
2022-11-02T18:14:01Z
Modified
2022-11-02T18:14:01Z
Summary
ckb: Large dep group requires a lot of resources to process but the cost to commit the transaction is very low.
Details

Impact

When a transaction contains a dep group with many cells, the resources required to process it are not linear to the transaction size nor spent script cycles.

Patches

In 0.43.3, nodes drop the transactions relayed to them when they contain a dep group with more than 64 cells. They do not ban peers who send them such transactions.

In 0.100, the consensus disallow transactions using a dep group with more than 64 cells. Peers relaying such transaction must be banned. Blocks committing such transactions must be rejected.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-02T18:14:01Z"
}
References

Affected packages

crates.io / ckb

Package

Name
ckb
View open source insights on deps.dev
Purl
pkg:cargo/ckb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.43.3