Volerion logoVolerion
Volerion logoVolerion

CryptoLib Out-of-Bounds Read Vulnerability in Base64url Decoding

Vulnerability

A moderate severity out-of-bounds read vulnerability has been identified in CryptoLib versions prior to 1.4.3. The issue arises in the Base64url decoding function, where the code improperly handles input length and null values. Specifically, it dereferences the last byte of the input before verifying that the input length is greater than zero or that the input is not null. This flaw can lead to an out-of-bounds read, potentially crashing the process. The vulnerability can be triggered by decoding an empty Base64url string, which is a valid input scenario that the function does not properly accommodate.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, which can lead to a process crash.

Reproduction

The vulnerability can be reproduced by calling the 'base64urlDecode' function with an input length of zero, which triggers the out-of-bounds read at 'input[-1]'. This can occur with upstream inputs that result in a zero length, such as empty JSON fields.

Remediation

Users can upgrade to CryptoLib version 1.4.3, where this vulnerability has been patched.

Added: Jan 10, 2026, 1:22 AM
Updated: Jan 10, 2026, 1:22 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
3.1
remediation
7.7
relevance
1.9
threat
1.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.