GHSA-xp5g-jhg3-3rg2

Suggest an improvement
Source
https://github.com/advisories/GHSA-xp5g-jhg3-3rg2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-xp5g-jhg3-3rg2/GHSA-xp5g-jhg3-3rg2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xp5g-jhg3-3rg2
Aliases
Published
2023-05-22T00:30:20Z
Modified
2023-11-08T04:12:40.305994Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Double spend in snarkjs
Details

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

Database specific 
{
    "nvd_published_at": "2023-05-21T22:15:14Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-22T19:37:12Z"
}
References

Affected packages

npm / snarkjs

Package

Name
snarkjs
View open source insights on deps.dev
Purl
pkg:npm/snarkjs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.6.11