Azle WebAssembly Runtime Infinite Timer Loop Vulnerability

A vulnerability in the Azle WebAssembly runtime for TypeScript and JavaScript on ICP has been identified. In Azle versions 0.27.0, 0.28.0, and 0.29.0, invoking the 'setTimer' function creates an immediate infinite loop. This loop consists of timers that continuously execute, with each one trying to clean up the global state left by the previous timer. The issue arises with any valid 'setTimer' invocation. The vulnerability has been addressed in Azle version 0.30.0.

Impact

Exploiting this vulnerability leads to an infinite loop of timer executions on the affected canister, causing a significant disruption by repeatedly attempting to manage the global state, but failing to do so effectively.

Remediation

To resolve this issue, upgrade to Azle version 0.30.0. If a canister is already trapped in the infinite loop, it can be upgraded to clear all timers and end the loop.