Alloy Dynamic ABI Library Denial-of-Service Vulnerability in EIP-712 Signing Hash

A denial-of-service vulnerability has been identified in the Alloy dynamic ABI library, specifically in versions prior to 0.8.26 and 1.4.1. The issue arises from an uncaught panic triggered by malformed input to the 'TypedData' component, which can disrupt the 'eip712_signing_hash()' function. This vulnerability is particularly concerning for software with high availability requirements, such as network services. While external auto-restarting mechanisms can partially mitigate the impact, they may not be effective if repeated attacks are possible.

Impact

Exploitation of this vulnerability leads to an uncaught panic, causing a denial-of-service condition where the application becomes unresponsive or unavailable. This is especially problematic for services that require high availability.

Reproduction

The vulnerability can be reproduced by using a version of the Alloy dynamic ABI library that is prior to 0.8.26 or between 1.0.0 and 1.4.1. When 'TypedData' is fed malformed input, it triggers a panic that can be caught and handled, but in the vulnerable versions, this panic goes uncaught, leading to a denial-of-service condition.

Remediation

Users are advised to upgrade to version 0.8.26 or 1.4.1, both of which include the necessary patch. Instructions for upgrading can be found on the Alloy dynamic ABI crate page on crates.io.