GHSA-3gjh-29fv-8hr6: Nervos CKB Snappy decompress length can be very large and causes out of memory error

February 3, 2024

Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error.

References

github.com/advisories/GHSA-3gjh-29fv-8hr6
github.com/nervosnetwork/ckb/security/advisories/GHSA-3gjh-29fv-8hr6

Detect and mitigate GHSA-3gjh-29fv-8hr6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →