GHSA-5rg2-xv9j-gv5p
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof
Details
### Impact
A malicious peer acting as a state-sync source can crash a syncing node with a crafted `TrieChunk` whose proof contains a `TrieNodeChild` whose `suffix`, when concatenated with the parent key via `KeyNibbles::Add`, exceeds the fixed 63-byte backing array. `Add` (`primitives/src/key_nibbles.rs:332` / `:341`) indexes `bytes[self.bytes_len()..self.bytes_len() + other.bytes_len()]` with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).
`KeyNibbles` deserialization validates only the individual `length <= 126`, not the combined parent + suffix length. The panic occurs at `put_chunk` → `child.key()` → `is_stump()` → `+`, i.e. **before** `proof.verify()`, so no valid proof is required. As with the related `child_index` issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (`nimiq-primitives`).
### Patches
Fixed in **1.6.0** via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit `eabfc3e2`), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.
### Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.6.0 Upgrade nimiq-primitives to 1.6.0 or newer (ecosystem crates.io).
References
- https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-5rg2-xv9j-gv5p [WEB]
- https://github.com/nimiq/core-rs-albatross/pull/3790 [WEB]
- https://github.com/nimiq/core-rs-albatross/commit/eabfc3e21731b0628c3f933163a0f1e1864217bf [WEB]
- https://github.com/nimiq/core-rs-albatross [PACKAGE]
- https://github.com/nimiq/core-rs-albatross/releases/tag/v1.6.0 [WEB]