Primary

Context

Nimiq Transaction History Tree Proof Length Mismatch Panic Vulnerability

Vulnerability

A vulnerability in the Nimiq Transaction package, specifically in versions through 1.2.2, allows a malicious peer to cause a panic by sending a crafted inclusion proof with a length mismatch. This issue arises in the `HistoryTreeProof::verify` method, which improperly validates proof lengths, leading to a crash when the lengths do not match. The vulnerability exists because the proof is derived from untrusted peer-to-peer responses, leaving it open to manipulation at the network boundary until it is validated.

Impact

Exploitation of this vulnerability causes a panic in the `HistoryTreeProof::verify` method, disrupting the application's normal operation and potentially leading to a denial of service.

Remediation

Users can upgrade to Nimiq Transaction version 1.3.0 or later to address this vulnerability.

Added: Apr 22, 2026, 9:23 PM

Updated: Apr 22, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nimiq Transaction History Tree Proof Length Mismatch Panic Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating