GHSA-xp5g-jhg3-3rg2

Source

https://github.com/advisories/GHSA-xp5g-jhg3-3rg2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-xp5g-jhg3-3rg2/GHSA-xp5g-jhg3-3rg2.json

Aliases

• CVE-2023-33252

Published

2023-05-22T00:30:20Z

Modified

2023-11-08T04:12:40.305994Z

Details

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-33252
• https://github.com/iden3/snarkjs
• https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
• https://github.com/iden3/snarkjs/tags