CVE-2024-30253 - Vulnerability Details

- Handling untrusted input can result in a crash, leading to loss of availability / denial of service

Description

@solana/web3.js is the Solana JavaScript SDK. Using particular inputs with `@solana/web3.js` will result in memory exhaustion (OOM). If you have a server, client, mobile, or desktop product that accepts untrusted input for use with `@solana/web3.js`, your application/service may crash, resulting in a loss of availability. This vulnerability is fixed in 1.0.1, 1.10.2, 1.11.1, 1.12.1, 1.1.2, 1.13.1, 1.14.1, 1.15.1, 1.16.2, 1.17.1, 1.18.1, 1.19.1, 1.20.3, 1.21.1, 1.22.1, 1.23.1, 1.24.3, 1.25.1, 1.26.1, 1.27.1, 1.28.1, 1.2.8, 1.29.4, 1.30.3, 1.31.1, 1.3.1, 1.32.3, 1.33.1, 1.34.1, 1.35.2, 1.36.1, 1.37.3, 1.38.1, 1.39.2, 1.40.2, 1.41.11, 1.4.1, 1.42.1, 1.43.7, 1.44.4, 1.45.1, 1.46.1, 1.47.5, 1.48.1, 1.49.1, 1.50.2, 1.51.1, 1.5.1, 1.52.1, 1.53.1, 1.54.2, 1.55.1, 1.56.3, 1.57.1, 1.58.1, 1.59.2, 1.60.1, 1.61.2, 1.6.1, 1.62.2, 1.63.2, 1.64.1, 1.65.1, 1.66.6, 1.67.3, 1.68.2, 1.69.1, 1.70.4, 1.71.1, 1.72.1, 1.7.2, 1.73.5, 1.74.1, 1.75.1, 1.76.1, 1.77.4, 1.78.8, 1.79.1, 1.80.1, 1.81.1, 1.8.1, 1.82.1, 1.83.1, 1.84.1, 1.85.1, 1.86.1, 1.87.7, 1.88.1, 1.89.2, 1.90.2, 1.9.2, and 1.91.3.

Published: 2024-04-17

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

solana-labs

solana-web3.js

affected

Version	Status	Constraints
`>= 1.91.0, < 1.91.3`	affected	—
`>= 1.90, < 1.90.2`	affected	—
`>= 1.89, < 1.89.2`	affected	—
`= 1.88.0`	affected	—
`>=1.87.0, < 1.87.7`	affected	—
`= 1.86.0`	affected	—
`= 1.85.0`	affected	—
`= 1.84.0`	affected	—
`= 1.83.0`	affected	—
`= 1.82.0`	affected	—
`= 1.81.0`	affected	—
`= 1.80.0`	affected	—
`= 1.79.0`	affected	—
`>= 1.78, < 1.78.8`	affected	—
`>= 1.77, < 1.77.4`	affected	—
`= 1.76.0`	affected	—
`= 1.75.0`	affected	—
`= 1.74.0`	affected	—
`>= 1.73.0, < 1.73.5`	affected	—
`= 1.72.0`	affected	—
`= 1.71.0`	affected	—
`>= 1.70.0, < 1.70.4`	affected	—
`= 1.69.0`	affected	—
`>= 1.68.0, < 1.68.2`	affected	—
`>= 1.67.0, < 1.67.3`	affected	—
`>= 1.66.0, < 1.66.6`	affected	—
`= 1.65.0`	affected	—
`= 1.64.0`	affected	—
`>= 1.63.0, < 1.63.2`	affected	—
`>= 1.62.0, < 1.62.2`	affected	—
`>= 1.61.0, < 1.61.2`	affected	—
`= 1.60.0`	affected	—
`>= 1.59.0, < 1.59.2`	affected	—
`= 1.58.0`	affected	—
`= 1.57.0`	affected	—
`>= 1.56.0, < 1.56.3`	affected	—
`= 1.55.0`	affected	—
`>= 1.54.0, < 1.54.2`	affected	—
`= 1.53.0`	affected	—
`= 1.52.0`	affected	—
`= 1.51.0`	affected	—
`>= 1.50.0, < 1.50.2`	affected	—
`= 1.49.0`	affected	—
`= 1.48.0`	affected	—
`>= 1.47.0, < 1.47.5`	affected	—
`= 1.46.0`	affected	—
`= 1.45.0`	affected	—
`>= 1.44.0, < 1.44.4`	affected	—
`>= 1.43.0, < 1.43.7`	affected	—
`= 1.42.0`	affected	—
`>= 1.41.0, < 1.41.11`	affected	—
`>= 1.40.0, < 1.40.2`	affected	—
`>= 1.39.0, < 1.39.2`	affected	—
`= 1.38.0`	affected	—
`>= 1.37.0, < 1.37.3`	affected	—
`= 1.36.0`	affected	—
`>= 1.35.0, < 1.35.2`	affected	—
`= 1.34.0`	affected	—
`= 1.33.0`	affected	—
`>= 1.32.0, < 1.32.2`	affected	—
`= 1.31.0`	affected	—
`>= 1.30.0, < 1.30.3`	affected	—
`>= 1.29.0, < 1.29.4`	affected	—
`= 1.28.0`	affected	—
`= 1.27.0`	affected	—
`= 1.26.0`	affected	—
`= 1.25.0`	affected	—
`>= 1.24.0, < 1.24.3`	affected	—
`= 1.23.0`	affected	—
`= 1.22.0`	affected	—
`= 1.21.0`	affected	—
`>= 1.20.0, < 1.20.3`	affected	—
`= 1.19.0`	affected	—
`= 1.18.0`	affected	—
`= 1.17.0`	affected	—
`>= 1.16.0, < 1.16.2`	affected	—
`= 1.15.0`	affected	—
`= 1.14.0`	affected	—
`= 1.13.0`	affected	—
`= 1.12.0`	affected	—
`= 1.11.0`	affected	—
`>= 1.10.0, < 1.10.2`	affected	—
`>= 1.9.0, < 1.9.2`	affected	—
`= 1.8.0`	affected	—
`>= 1.7.0, < 1.7.2`	affected	—
`= 1.6.0`	affected	—
`= 1.5.0`	affected	—
`= 1.4.0`	affected	—
`= 1.3.0`	affected	—
`>= 1.2.0, < 1.2.8`	affected	—
`>= 1.1.0, < 1.1.2`	affected	—
`< 1.0.1`	affected	—

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1160	@solana/web3.js is the Solana JavaScript SDK. Using particular inputs with `@solana/web3.js` will result in memory exhaustion (OOM). If you have a server, client, mobile, or desktop product that accepts untrusted input for use with `@solana/web3.js`, your application/service may crash, resulting in a loss of availability. This vulnerability is fixed in 1.0.1, 1.10.2, 1.11.1, 1.12.1, 1.1.2, 1.13.1, 1.14.1, 1.15.1, 1.16.2, 1.17.1, 1.18.1, 1.19.1, 1.20.3, 1.21.1, 1.22.1, 1.23.1, 1.24.3, 1.25.1, 1.26.1, 1.27.1, 1.28.1, 1.2.8, 1.29.4, 1.30.3, 1.31.1, 1.3.1, 1.32.3, 1.33.1, 1.34.1, 1.35.2, 1.36.1, 1.37.3, 1.38.1, 1.39.2, 1.40.2, 1.41.11, 1.4.1, 1.42.1, 1.43.7, 1.44.4, 1.45.1, 1.46.1, 1.47.5, 1.48.1, 1.49.1, 1.50.2, 1.51.1, 1.5.1, 1.52.1, 1.53.1, 1.54.2, 1.55.1, 1.56.3, 1.57.1, 1.58.1, 1.59.2, 1.60.1, 1.61.2, 1.6.1, 1.62.2, 1.63.2, 1.64.1, 1.65.1, 1.66.6, 1.67.3, 1.68.2, 1.69.1, 1.70.4, 1.71.1, 1.72.1, 1.7.2, 1.73.5, 1.74.1, 1.75.1, 1.76.1, 1.77.4, 1.78.8, 1.79.1, 1.80.1, 1.81.1, 1.8.1, 1.82.1, 1.83.1, 1.84.1, 1.85.1, 1.86.1, 1.87.7, 1.88.1, 1.89.2, 1.90.2, 1.9.2, and 1.91.3.
Github GHSA	GHSA-8m45-2rjm-j347	Handling untrusted input can result in a crash, leading to loss of availability / denial of service

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00142.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/solana-labs/solana-web3.js/commit/77d935221a4805107b20b60ae7c1148725e4e2d0
https://github.com/solana-labs/solana-web3.js/security/advisories/GHSA-8m45-2rjm-j347

History

No history.

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-17T15:07:27.546Z

Updated: 2024-08-21T15:05:27.101Z

Reserved: 2024-03-26T12:52:00.933Z

Link: CVE-2024-30253

Vulnrichment

Updated: 2024-08-02T01:32:06.308Z

NVD

Status : Deferred

Published: 2024-04-17T15:15:07.253

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-30253

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-119

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object