CVE-2024-30253 – A memory exhaustion vulnerability in @solana/we... (How to Fix)

Q: What is the severity of CVE-2024-30253?

CVE-2024-30253 has a CVSS score of 7.5 (HIGH). A memory exhaustion vulnerability in @solana/web3.js allows attackers to crash applications by providing malicious inputs. This affects any server, client, mobile, or desktop application using vulnerable versions of the Solana JavaScript SDK that processes untrusted input. The vulnerability results in denial of service through application crashes.

📋 TL;DR

A memory exhaustion vulnerability in @solana/web3.js allows attackers to crash applications by providing malicious inputs. This affects any server, client, mobile, or desktop application using vulnerable versions of the Solana JavaScript SDK that processes untrusted input. The vulnerability results in denial of service through application crashes.

💻 Affected Systems

Products:

@solana/web3.js (Solana JavaScript SDK)

Versions: All versions except: 1.0.1, 1.10.2, 1.11.1, 1.12.1, 1.1.2, 1.13.1, 1.14.1, 1.15.1, 1.16.2, 1.17.1, 1.18.1, 1.19.1, 1.20.3, 1.21.1, 1.22.1, 1.23.1, 1.24.3, 1.25.1, 1.26.1, 1.27.1, 1.28.1, 1.2.8, 1.29.4, 1.30.3, 1.31.1, 1.3.1, 1.32.3, 1.33.1, 1.34.1, 1.35.2, 1.36.1, 1.37.3, 1.38.1, 1.39.2, 1.40.2, 1.41.11, 1.4.1, 1.42.1, 1.43.7, 1.44.4, 1.45.1, 1.46.1, 1.47.5, 1.48.1, 1.49.1, 1.50.2, 1.51.1, 1.5.1, 1.52.1, 1.53.1, 1.54.2, 1.55.1, 1.56.3, 1.57.1, 1.58.1, 1.59.2, 1.60.1, 1.61.2, 1.6.1, 1.62.2, 1.63.2, 1.64.1, 1.65.1, 1.66.6, 1.67.3, 1.68.2, 1.69.1, 1.70.4, 1.71.1, 1.72.1, 1.7.2, 1.73.5, 1.74.1, 1.75.1, 1.76.1, 1.77.4, 1.78.8, 1.79.1, 1.80.1, 1.81.1, 1.8.1, 1.82.1, 1.83.1, 1.84.1, 1.85.1, 1.86.1, 1.87.7, 1.88.1, 1.89.2, 1.90.2, 1.9.2, and 1.91.3

Operating Systems: All platforms running Node.js or JavaScript environments

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing untrusted input. Applications that don't accept external input may not be affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through application crashes, potentially affecting all users of vulnerable applications.

🟠

Likely Case

Targeted denial of service attacks against specific applications or services using the vulnerable SDK.

🟢

If Mitigated

No impact if applications don't process untrusted input or are properly patched.

🌐 Internet-Facing: HIGH - Applications accepting untrusted input from the internet are directly vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal applications could still be vulnerable if they process untrusted data, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires specific inputs but no authentication. Exploitation details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions listed in affected systems section

Vendor Advisory: https://github.com/solana-labs/solana-web3.js/security/advisories/GHSA-8m45-2rjm-j347

Restart Required: Yes

Instructions:

1. Identify your current @solana/web3.js version. 2. Update to the appropriate fixed version using npm update @solana/web3.js. 3. Restart your application/service. 4. Test functionality with the updated version.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all data passed to @solana/web3.js functions

Rate Limiting

all

Implement rate limiting on endpoints that accept input for @solana/web3.js processing

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-provided data
Deploy application behind a WAF with DoS protection capabilities

🔍 How to Verify

Check if Vulnerable:

Check package.json for @solana/web3.js version. If version is not in the fixed versions list, you are vulnerable.

Check Version:

npm list @solana/web3.js

Verify Fix Applied:

After updating, verify the version in package.json matches one of the fixed versions. Test application with various inputs to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory exhaustion errors
High memory usage spikes followed by process termination
Unusual input patterns to @solana/web3.js functions

Network Indicators:

Repeated requests with similar payloads to endpoints using @solana/web3.js
Sudden increase in request volume to specific endpoints

SIEM Query:

source="application.logs" AND ("out of memory" OR "OOM" OR "memory exhaustion") AND process="node"

📊 Metadata

CVE ID: CVE-2024-30253

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-119

Published: April 17, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30253, you might also want to check these: