VDB
KO
LOW 3.7

GHSA-5rg2-xv9j-gv5p

nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof

Details

### Impact

A malicious peer acting as a state-sync source can crash a syncing node with a crafted `TrieChunk` whose proof contains a `TrieNodeChild` whose `suffix`, when concatenated with the parent key via `KeyNibbles::Add`, exceeds the fixed 63-byte backing array. `Add` (`primitives/src/key_nibbles.rs:332` / `:341`) indexes `bytes[self.bytes_len()..self.bytes_len() + other.bytes_len()]` with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).

`KeyNibbles` deserialization validates only the individual `length <= 126`, not the combined parent + suffix length. The panic occurs at `put_chunk` → `child.key()` → `is_stump()` → `+`, i.e. **before** `proof.verify()`, so no valid proof is required. As with the related `child_index` issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).

Affected: core-rs-albatross <= 1.5.1 (`nimiq-primitives`).

### Patches

Fixed in **1.6.0** via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit `eabfc3e2`), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.

### Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / nimiq-primitives
Introduced in: 0 Fixed in: 1.6.0

Upgrade nimiq-primitives to 1.6.0 or newer (ecosystem crates.io).

References