Infinite decoding loop through specially crafted payload
CVE-2023-6245

7.5HIGH

Key Information:

Vendor: Internet Computer
Status: Candid
Vendor: CVE Published:; 8 December 2023

Summary

The Candid library has a vulnerability that leads to Denial of Service when processing malicious payloads that include an 'empty' data type. In scenarios where the payload is structured as 'record { * ; empty }' while the expected format is 'record { * }', the Rust candid decoder misinterprets the empty type as an obligatory field. This misclassification forces the decoder into an infinite loop while attempting to rectify the error, leading to prolonged execution times until the system reaches its instruction limit. Continuous exposure to such crafted payloads severely impacts canister performance, resulting in frequent service disruptions for affected applications. Note that canisters developed in Motoko remain unaffected by this issue.

Affected Version(s)

Candid 0.9.0 < 0.9.10

References

https://github.com/dfinity/candid/pull/478

https://internetcomputer.org/docs/current/references/cand...

https://github.com/dfinity/candid/blob/master/spec/Candid.md

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 8, 2023
Vulnerability Reserved
Nov 21, 2023