CVE-2025-62370
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash(). Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible. The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62370
EUVD
EUVD-2025-34683
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
alloy-rs alloy-dyn-abi 1.4.1
alloy-rs alloy-dyn-abi 0.8.26
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62370 is a denial-of-service (DoS) vulnerability in the Rust crate alloy-dyn-abi, specifically in the alloy_dyn_abi::TypedData hashing process used by the function eip712_signing_hash(). The vulnerability occurs because malformed input can trigger an uncaught panic due to accessing the first element of an empty data structure without checking if it is empty. This causes the software to crash, impacting availability. The issue affects versions prior to 0.8.26 and between 1.0.0 and before 1.4.1. The fix involves adding a check to ensure the element is not empty before access, returning an error if it is empty. Patched versions include v1.4.1 and backported v0.8.26. [4, 5]

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the software when it processes malformed input. This impacts the availability of the affected software, which is particularly critical for systems requiring high availability such as network services. Since the attack requires no privileges or user interaction and has low complexity, it can be exploited remotely. External auto-restarting mechanisms may partially mitigate the impact unless repeated attacks occur. [4, 5]

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of the alloy-dyn-abi crate, specifically versions prior to 0.8.26 or between 1.0.0 and before 1.4.1. Since the issue causes an uncaught panic leading to a denial-of-service when malformed input is processed by the eip712_signing_hash() function, monitoring for crashes or panics related to this function can help detect exploitation attempts. There are no specific commands provided in the resources to detect this vulnerability directly on the network or system. However, you can check the installed version of the alloy-dyn-abi crate in your Rust project by running: `cargo tree | grep alloy-dyn-abi` or inspecting your Cargo.lock file. Additionally, monitoring logs for application crashes or panics related to eip712_signing_hash() may indicate exploitation attempts. [4, 5]

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the alloy-dyn-abi crate to a patched version: either v0.8.26 or v1.4.1 or later. These versions include the fix that adds a check to ensure the element is not empty before accessing it, preventing the uncaught panic. If upgrading immediately is not possible, external auto-restarting mechanisms can partially mitigate availability issues by restarting the service after a crash, but this does not prevent repeated attacks. No other known workarounds exist. [4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart