CVE-2025-62370
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alloy-rs | alloy-dyn-abi | 1.4.1 |
| alloy-rs | alloy-dyn-abi | 0.8.26 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62370 is a denial-of-service (DoS) vulnerability in the Rust crate alloy-dyn-abi, specifically in the alloy_dyn_abi::TypedData hashing process used by the function eip712_signing_hash(). The vulnerability occurs because malformed input can trigger an uncaught panic due to accessing the first element of an empty data structure without checking if it is empty. This causes the software to crash, impacting availability. The issue affects versions prior to 0.8.26 and between 1.0.0 and before 1.4.1. The fix involves adding a check to ensure the element is not empty before access, returning an error if it is empty. Patched versions include v1.4.1 and backported v0.8.26. [4, 5]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the software when it processes malformed input. This impacts the availability of the affected software, which is particularly critical for systems requiring high availability such as network services. Since the attack requires no privileges or user interaction and has low complexity, it can be exploited remotely. External auto-restarting mechanisms may partially mitigate the impact unless repeated attacks occur. [4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running a vulnerable version of the alloy-dyn-abi crate, specifically versions prior to 0.8.26 or between 1.0.0 and before 1.4.1. Since the issue causes an uncaught panic leading to a denial-of-service when malformed input is processed by the eip712_signing_hash() function, monitoring for crashes or panics related to this function can help detect exploitation attempts. There are no specific commands provided in the resources to detect this vulnerability directly on the network or system. However, you can check the installed version of the alloy-dyn-abi crate in your Rust project by running: `cargo tree | grep alloy-dyn-abi` or inspecting your Cargo.lock file. Additionally, monitoring logs for application crashes or panics related to eip712_signing_hash() may indicate exploitation attempts. [4, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the alloy-dyn-abi crate to a patched version: either v0.8.26 or v1.4.1 or later. These versions include the fix that adds a check to ensure the element is not empty before accessing it, preventing the uncaught panic. If upgrading immediately is not possible, external auto-restarting mechanisms can partially mitigate availability issues by restarting the service after a crash, but this does not prevent repeated attacks. No other known workarounds exist. [4, 5]