CVE-2023-6245 HIGH

CVE-2023-6245: Infinite decoding loop through specially crafted payload

Vendor Internet Computer

Product Candid

Weakness CWE-835

Published December 8, 2023

Last update December 2, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For example, if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop. Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.

Key dates

02Disclosure timeline

December 8, 2023 CVE published

December 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-6245 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/835.html

Related vulnerabilities

CVE-2023-6245: Infinite decoding loop through specially crafted payload

01Description

02Disclosure timeline

03References

04Related CVE