VDB
EN
LOW 3.7

GHSA-46wq-28cx-mhw4

nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys

상세

### Impact

A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted `TrieChunk` whose proof contains two `TrieProofNode`s with identical keys. `TrieProof::verify()` calls `TrieProofNode::child_index()` (`primitives/src/trie/trie_proof_node.rs:94`), which unconditionally unwraps `KeyNibbles::get(self.key.len())`. Because `is_prefix_of` returns `true` for two equal keys, execution reaches `get(len)`, which returns `None`, and the `unwrap()` panics.

The panic is reached from untrusted network input (`ResponseChunk` → `commit_chunks` → `put_chunk` → `proof.verify()`) **before** any cryptographic proof verification, so the attacker does not need to produce a valid proof. Exploitation requires the attacker to be selected as the victim's sync peer while the victim is performing state sync, and the resulting crash is transient (the node restarts and re-syncs).

Affected: core-rs-albatross <= 1.5.1 (`nimiq-primitives`).

### Patches

Fixed in **1.6.0** via https://github.com/nimiq/core-rs-albatross/pull/3789 (commit `41d35ace`). `child_index` now rejects equal-length keys and returns `MerkleRadixTrieError::WrongPrefix` instead of unwrapping.

### Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

crates.io / nimiq-primitives
최초 영향 버전: 0 수정 버전: 1.6.0

Upgrade nimiq-primitives to 1.6.0 or newer (ecosystem crates.io).

참고