6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36008

GHSA ID

GHSA-mjvm-mhgc-q4gp

EPSS Score

0.27438%

CWE

CWE-190

Published

8/18/2022

Updated

10/24/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36008

CVE-2022-36008:
Incorrect parsing of EVM reversion exit reason in RPC

Impact

A low severity security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic.

No action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this.

Patches

The issue is patched in https://github.com/paritytech/frontier/pull/820

Workarounds

None.

References

PR https://github.com/paritytech/frontier/pull/820

For more information

If you have any questions or comments about this advisory:

Email Wei Tang

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36008

GHSA ID

GHSA-mjvm-mhgc-q4gp

EPSS Score

0.27438%

CWE

CWE-190

Published

8/18/2022

Updated

10/24/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fc-rpc	rust	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was explicitly patched in the error_on_execution_failure function's handling of ExitReason::Revert. The original code used data[36..68].iter().sum::<u8>() to calculate message length, which is both semantically incorrect (length is a U256, not a sum of bytes) and vulnerable to integer overflow. The patch replaced this with proper U256 parsing and saturation, confirming the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * low s*v*rity s**urity issu* w*s *is*ov*r** *****tin* p*rsin* o* t** RP* r*sult o* t** *xit r**son in **s* o* *VM r*v*rsion. In r*l**s* *uil*, t*is woul* **us* t** *xit r**son **in* in*orr**tly p*rs** *n* r*turn** *y RP*. In ***u* *uil*,

Reasoning

T** vuln*r**ility w*s *xpli*itly p*t**** in t** *rror_on_*x**ution_**ilur* *un*tion's **n*lin* o* *xitR**son::R*v*rt. T** ori*in*l *o** us** **t*[**..**].it*r().sum::<u*>() to **l*ul*t* m*ss*** l*n*t*, w*i** is *ot* s*m*nti**lly in*orr**t (l*n*t* is

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-36008: Incorrect parsing of EVM reversion exit reason in RPC

Impact

Patches

Workarounds

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-36008:
Incorrect parsing of EVM reversion exit reason in RPC

Vulnerability Intelligence
Miggo AI