CVE-2023-33252: Double spend in snarkjs

May 21, 2023 (updated May 30, 2023)

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

References

github.com/advisories/GHSA-xp5g-jhg3-3rg2
github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
github.com/iden3/snarkjs/tags
nvd.nist.gov/vuln/detail/CVE-2023-33252

Detect and mitigate CVE-2023-33252 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →