7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-30253

CVE-2024-30253: Handling untrusted input can result in a crash, leading to loss of availability / denial of service

Using particular inputs with @solana/web3.js will result in memory exhaustion (OOM).

If you have a server, client, mobile, or desktop product that accepts untrusted input for use with @solana/web3.js, your application/service may crash, resulting in a loss of availability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-30253

CVE-2024-30253:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@solana/web3.js	npm	>= 1.91.0, < 1.91.3	1.91.3
@solana/web3.js	npm	>= 1.90, < 1.90.2	1.90.2
@solana/web3.js	npm	>= 1.89, < 1.89.2	1.89.2
@solana/web3.js	npm	= 1.88.0	1.88.1
@solana/web3.js	npm	>= 1.87.0, < 1.87.7	1.87.7
@solana/web3.js	npm	= 1.86.0	1.86.1
@solana/web3.js	npm	= 1.85.0	1.85.1
@solana/web3.js	npm	= 1.84.0	1.84.1
@solana/web3.js	npm	= 1.83.0	1.83.1
@solana/web3.js	npm	= 1.82.0	1.82.1
@solana/web3.js	npm	= 1.81.0	1.81.1
@solana/web3.js	npm	= 1.80.0	1.80.1
@solana/web3.js	npm	= 1.79.0	1.79.1
@solana/web3.js	npm	>= 1.78, < 1.78.8	1.78.8
@solana/web3.js	npm	>= 1.77, < 1.77.4	1.77.4
@solana/web3.js	npm	= 1.76.0	1.76.1
@solana/web3.js	npm	= 1.75.0	1.75.1
@solana/web3.js	npm	= 1.74.0	1.74.1
@solana/web3.js	npm	>= 1.73.0, < 1.73.5	1.73.5
@solana/web3.js	npm	= 1.72.0	1.72.1
@solana/web3.js	npm	= 1.71.0	1.71.1
@solana/web3.js	npm	>= 1.70.0, < 1.70.4	1.70.4
@solana/web3.js	npm	= 1.69.0	1.69.1
@solana/web3.js	npm	>= 1.68.0, < 1.68.2	1.68.2
@solana/web3.js	npm	>= 1.67.0, < 1.67.3	1.67.3
@solana/web3.js	npm	>= 1.66.0, < 1.66.6	1.66.6
@solana/web3.js	npm	= 1.65.0	1.65.1
@solana/web3.js	npm	= 1.64.0	1.64.1
@solana/web3.js	npm	>= 1.63.0, < 1.63.2	1.63.2
@solana/web3.js	npm	>= 1.62.0, < 1.62.2	1.62.2
@solana/web3.js	npm	>= 1.61.0, < 1.61.2	1.61.2
@solana/web3.js	npm	= 1.60.0	1.60.1
@solana/web3.js	npm	>= 1.59.0, < 1.59.2	1.59.2
@solana/web3.js	npm	= 1.58.0	1.58.1
@solana/web3.js	npm	= 1.57.0	1.57.1
@solana/web3.js	npm	>= 1.56.0, < 1.56.3	1.56.3
@solana/web3.js	npm	= 1.55.0	1.55.1
@solana/web3.js	npm	>= 1.54.0, < 1.54.2	1.54.2
@solana/web3.js	npm	= 1.53.0	1.53.1
@solana/web3.js	npm	= 1.52.0	1.52.1
@solana/web3.js	npm	= 1.51.0	1.51.1
@solana/web3.js	npm	>= 1.50.0, < 1.50.2	1.50.2
@solana/web3.js	npm	= 1.49.0	1.49.1
@solana/web3.js	npm	= 1.48.0	1.48.1
@solana/web3.js	npm	>= 1.47.0, < 1.47.5	1.47.5
@solana/web3.js	npm	= 1.46.0	1.46.1
@solana/web3.js	npm	= 1.45.0	1.45.1
@solana/web3.js	npm	>= 1.44.0, < 1.44.4	1.44.4
@solana/web3.js	npm	>= 1.43.0, < 1.43.7	1.43.7
@solana/web3.js	npm	= 1.42.0	1.42.1
@solana/web3.js	npm	>= 1.41.0, < 1.41.11	1.41.11
@solana/web3.js	npm	>= 1.40.0, < 1.40.2	1.40.2
@solana/web3.js	npm	>= 1.39.0, < 1.39.2	1.39.2
@solana/web3.js	npm	= 1.38.0	1.38.1
@solana/web3.js	npm	>= 1.37.0, < 1.37.3	1.37.3
@solana/web3.js	npm	= 1.36.0	1.36.1
@solana/web3.js	npm	>= 1.35.0, < 1.35.2	1.35.2
@solana/web3.js	npm	= 1.34.0	1.34.1
@solana/web3.js	npm	= 1.33.0	1.33.1
@solana/web3.js	npm	>= 1.32.0, < 1.32.2	1.32.2
@solana/web3.js	npm	= 1.31.0	1.31.1
@solana/web3.js	npm	>= 1.30.0, < 1.30.3	1.30.3
@solana/web3.js	npm	>= 1.29.0, < 1.29.4	1.29.4
@solana/web3.js	npm	= 1.28.0	1.28.1
@solana/web3.js	npm	= 1.27.0	1.27.1
@solana/web3.js	npm	= 1.26.0	1.26.1
@solana/web3.js	npm	= 1.25.0	1.25.1
@solana/web3.js	npm	>= 1.24.0, < 1.24.3	1.24.3
@solana/web3.js	npm	= 1.23.0	1.23.1
@solana/web3.js	npm	= 1.22.0	1.22.1
@solana/web3.js	npm	= 1.21.0	1.21.1
@solana/web3.js	npm	>= 1.20.0, < 1.20.3	1.20.3
@solana/web3.js	npm	= 1.19.0	1.19.1
@solana/web3.js	npm	= 1.18.0	1.18.1
@solana/web3.js	npm	= 1.17.0	1.17.1
@solana/web3.js	npm	>= 1.16.0, < 1.16.2	1.16.2
@solana/web3.js	npm	= 1.15.0	1.15.1
@solana/web3.js	npm	= 1.14.0	1.14.1
@solana/web3.js	npm	= 1.13.0	1.13.1
@solana/web3.js	npm	= 1.12.0	1.12.1
@solana/web3.js	npm	= 1.11.0	1.11.1
@solana/web3.js	npm	>= 1.10.0, < 1.10.2	1.10.2
@solana/web3.js	npm	>= 1.9.0, < 1.9.2	1.9.2
@solana/web3.js	npm	= 1.8.0	1.8.1
@solana/web3.js	npm	>= 1.7.0, < 1.7.2	1.7.2
@solana/web3.js	npm	= 1.6.0	1.6.1
@solana/web3.js	npm	= 1.5.0	1.5.1
@solana/web3.js	npm	= 1.4.0	1.4.1
@solana/web3.js	npm	= 1.3.0	1.3.1
@solana/web3.js	npm	>= 1.2.0, < 1.2.8	1.2.8
@solana/web3.js	npm	>= 1.1.0, < 1.1.2	1.1.2
@solana/web3.js	npm	< 1.0.1	1.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe array operations (shift/splice) in deserialization code paths that lacked bounds checking. The commit 77d9352 introduced guardedShift/guardedSplice replacements in these exact locations, indicating these were the vulnerable functions. These methods process untrusted network input and previously allowed: 1) Reading past array boundaries (leading to undefined behavior) 2) Consuming arbitrary amounts of memory via crafted payloads. The high confidence comes from direct evidence in the patch - these specific functions were modified to add memory safety checks, and the CWE-119 classification confirms buffer boundary issues.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-30253: Handling untrusted input can result in a crash, leading to loss of availability / denial of service

CVE-2024-30253:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-30253: Handling untrusted input can result in a crash, leading to loss of availability / denial of service

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI