CVE-2024-50354

Description

Gnark out-of-memory during deserialization with crafted inputs in github.com/consensys/gnark

How to fix CVE-2024-50354

To remediate CVE-2024-50354, upgrade the affected package to a fixed version below.

• Go/github.com/consensys/gnark—upgrade to 0.11.1 or later
• —upgrade to 0.12.0 or later

Is CVE-2024-50354 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 0.11.1
• from 0, < 0.12.0

CVSS scores

References (6)

• ADVISORYgithub.com/advisories/GHSA-cph5-3pgr-c82g
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-50354
• PATCHgithub.com/Consensys/gnark
• WEBgithub.com/Consensys/gnark/commit/47ae846339add2bdf9983e499342bfdfe195191d
• WEB