CVE-2018-19183: Denial of Service in ethereumjs-vm
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.70242%
CWE
Published
11/21/2018
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ethereumjs-vm | npm | <= 2.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how ethereumjs-vm
's runCode
function processes code buffers. The CWE-119 (buffer handling) and the advisory's focus on Buffer.from()
suggest improper validation of input data. The REVERT opcode execution here is not a normal programmatic outcome but a result of malformed input exploitation. The runCode
function's failure to handle such cases (due to missing input sanitization or buffer bounds checks) directly enables the DoS condition. The vendor's dispute about REVERT being 'normal' refers to expected EVM behavior but doesn't address the root cause: triggering REVERT via invalid input due to insufficient validation in runCode
's buffer processing.