How the CVE Works:
The vulnerability occurs in Nethermind Juno (< v0.12.5) due to improper handling of Sierra bytecode decompression in the `cairo-lang-starknet-classes` library. When processing a malicious Declare v2/v3 transaction, an integer overflow in the decompression logic causes an infinite loop. Attackers exploit this by crafting oversized bytecode, triggering uncontrolled CPU consumption and node unresponsiveness. The flaw stems from missing bounds checks during bytecode size calculations, allowing loop conditions to never terminate.
DailyCVE Form:
Platform: Nethermind Juno
Version: < 0.12.5
Vulnerability: Integer Overflow
Severity: High
Date: Mar 27, 2025
What Undercode Say:
Exploitation:
- Craft a Declare v2/v3 transaction with malformed Sierra bytecode.
2. Set oversized `bytecode_length` to trigger integer overflow.
3. Submit to a vulnerable Starknet full node.
Proof-of-Concept (Python):
import requests
malicious_tx = {
"type": "DECLARE",
"version": 2,
"bytecode": [bash] Excessive bytecode
}
requests.post("http://target-node:6060", json=malicious_tx)
Mitigation:
1. Upgrade to Nethermind Juno ≥ v0.12.5.
2. Implement bounds checks in Sierra decompression:
if (bytecode.Length > MAX_ALLOWED_SIZE) throw new OverflowException();
Detection:
grep -r "cairo-lang-starknet-classes" /path/to/nethermind | grep "v0.12.4"
Analytics:
- Attack Vector: Network
- CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Affected Components: Starknet full nodes
Patch Reference:
- if (bytecodeLength > 0) {
+ if (bytecodeLength > 0 && bytecodeLength < MAX_BYTECODE_SIZE) {
Post-Exploit:
top -b -n 1 | grep "nethermind" Check CPU spikes
Hardening:
location /declare {
limit_req zone=tx_rate burst=10; Rate-limit Declare TXs
}
References:
Reported By: https://github.com/advisories/GHSA-wq32-8rp4-w2mc
Extra Source Hub:
Undercode
