Miggo Logo
Miggo Vulnerability Database
CVE-2024-38359

CVE-2024-38359:
Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-38359
GHSA ID
GHSA-9gxx-58q6-42p7
EPSS Score
0.72318%
CWE
CWE-20
Published
6/20/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/lightningnetwork/lndgo< 0.17.0-beta0.17.0-beta

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the HopPayload.Decode function's failure to validate() the payload length before memory allocation. The blog post explicitly shows the vulnerable code pattern where payloadSize (from untrusted input) was used directly to allocate memory via make([]byte, payloadSize). The fix added a tlvPayloadSize helper that enforces a maximum size (math.MaxUint16), confirming this was the vulnerable entry point. The sphinx package context matches LND's onion processing implementation described in vulnerability reports.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * p*rsin* vuln*r**ility in ln*'s onion pro**ssin* lo*i* l** to * *oS v**tor *u* to *x**ssiv* m*mory *llo**tion. ### P*t***s T** issu* w*s p*t**** in ln* [v*.**.*](*ttps://*it*u*.*om/li**tnin*n*twork/ln*/r*l**s*s/t**/v*.**.*-**t*). Us*

Reasoning

T** vuln*r**ility st*ms *rom t** `*opP*ylo**.***o**` *un*tion's **ilur* to `v*li**t*()` t** p*ylo** l*n*t* ***or* m*mory *llo**tion. T** *lo* post *xpli*itly s*ows t** vuln*r**l* *o** p*tt*rn w**r* `p*ylo**Siz*` (*rom untrust** input) w*s us** *ir**t