Miggo Logo

CVE-2018-19183: Denial of Service in ethereumjs-vm

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.70242%
Published
11/21/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ethereumjs-vmnpm<= 2.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how ethereumjs-vm's runCode function processes code buffers. The CWE-119 (buffer handling) and the advisory's focus on Buffer.from() suggest improper validation of input data. The REVERT opcode execution here is not a normal programmatic outcome but a result of malformed input exploitation. The runCode function's failure to handle such cases (due to missing input sanitization or buffer bounds checks) directly enables the DoS condition. The vendor's dispute about REVERT being 'normal' refers to expected EVM behavior but doesn't address the root cause: triggering REVERT via invalid input due to insufficient validation in runCode's buffer processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*t**r*umjs-vm *.*.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** (vm.run*o** **ilur* *n* R*V*RT) vi* * "*o**: *u***r.*rom(my_*o**, '**x')" *ttri*ut*.

Reasoning

T** vuln*r**ility st*ms *rom *ow `*t**r*umjs-vm`'s `run*o**` *un*tion pro**ss*s *o** *u***rs. T** *W*-*** (*u***r **n*lin*) *n* t** **visory's *o*us on `*u***r.*rom()` su***st improp*r v*li**tion o* input **t*. T** R*V*RT op*o** *x**ution **r* is not