high
7.5
CWE
400 835 1288 168 20
EPSS
0.138%
Advisory Published
Advisory Published
Updated

CVE-2023-6245: Infinite decoding loop through specially crafted payload

First published: Fri Dec 08 2023(Updated: )

### Impact The Candid library causes a Denial of Service while parsing a specially crafted payload with `empty` data type. For example, if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the rust candid decoder treats `empty` as an extra field required by the type. The problem with type `empty` is that the candid rust library wrongly categorizes `empty` as a recoverable error when skipping the field and thus causing an infinite decoding loop. Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister. For asset canister users, `dfx` versions `>= 0.14.4` to `<= 0.15.2-beta.0` ships asset canister with an affected version of candid. #### Unaffected - Rust canisters using candid `< 0.9.0` or `>= 0.9.10` - Rust canister interfaces of type other than `record { * }` - Motoko based canisters - dfx (for asset canister) `<= 0.14.3` or `>= 0.15.2` ### Patches The issue has been patched in `0.9.10`. All rust based canisters on candid versions `>= 0.9.0` must upgrade their candid versions to `>= 0.9.10` and deploy their canisters to mainnet as soon as possible. ### Workarounds There is no workaround for canisters using the affected versions of candid other than upgrading to patched version. ### References - [dfinity/candid/pull/478](https://github.com/dfinity/candid/pull/478) - [Candid Library Reference](https://internetcomputer.org/docs/current/references/candid-ref) - [Candid Specification](https://github.com/dfinity/candid/blob/master/spec/Candid.md) - [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)

Credit: 6b35d637-e00f-4228-858c-b20ad6e1d07b 6b35d637-e00f-4228-858c-b20ad6e1d07b

Affected SoftwareAffected VersionHow to fix
rust/candid>=0.9.0<0.9.10
0.9.10
Dfinity Candid>=0.9.0<0.9.10

Remedy

https://github.com/dfinity/candid/pull/478

Remedy

https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the impact of CVE-2023-6245?

    It causes a Denial of Service while parsing a specially crafted payload with `empty` data type.

  • How does CVE-2023-6245 affect the Candid library?

    It causes a Denial of Service vulnerability in the Candid library.

  • Which version of the Candid library is affected by CVE-2023-6245?

    Versions between 0.9.0 and 0.9.10 of the Candid library are affected.

  • What is the severity of CVE-2023-6245?

    The severity of CVE-2023-6245 is high with a CVSS score of 7.5.

  • Is there a fix available for CVE-2023-6245?

    Yes, the fix is available in version 0.9.10 of the Candid library.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203