Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
5Blast Radius
ecosystem impact- 16 cargo packages depend on nimiq-transaction (10 direct, 6 indirect)
Ecosystem-wide dependent count for version 0.2.0.
DescriptionGitHub Advisory
Impact
HistoryTreeProof::verify panics on a malformed proof where history.len() != positions.len() due to assert_eq!(history.len(), positions.len()).
The proof object is derived from untrusted p2p responses (ResponseTransactionsProof.proof) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch.
Patches
The patch for this vulnerability is included as part of v1.3.0.
Workarounds
No known workarounds know.
AnalysisAI
Nimiq Core-rs-Albatross prior to v1.3.0 crashes when processing malformed transaction inclusion proofs with mismatched history and positions arrays. A remote attacker can trigger a denial of service by sending a crafted ResponseTransactionsProof with unequal array lengths, causing the HistoryTreeProof::verify function to panic. The vulnerability requires high attack complexity and user interaction, limiting real-world impact despite network accessibility.
Technical ContextAI
The vulnerability resides in the HistoryTreeProof::verify function within the nimiq-transaction crate, a Rust-based blockchain component. The function validates transaction inclusion proofs derived from untrusted peer-to-peer responses (ResponseTransactionsProof.proof). The root cause is an unguarded assert_eq! macro comparing history.len() and positions.len() without bounds checking or graceful error handling, violating CWE-617 (Reachable Assertion). Proof structures are deserialized from network messages before validation, exposing the assertion to attacker control. The Rust assert! macro causes a panic unwind rather than returning an error, terminating the validator process.
RemediationAI
Upgrade to Nimiq Core-rs-Albatross v1.3.0 or later, which includes the upstream fix committed at 6ff0800e8e031363e787c827d8d033e5694e4e6a (merged via pull request #3659). This patch replaces the unguarded assert_eq! with proper bounds validation that returns a validation error instead of panicking. For organizations unable to upgrade immediately, implement input validation at the network layer to reject ResponseTransactionsProof messages where proof array lengths are obviously mismatched before passing to HistoryTreeProof::verify. Be aware that this workaround requires network-level introspection and may not catch all proof structures; patching is the recommended path. See GitHub advisory GHSA-264v-m8fm-76jm and the v1.3.0 release notes for deployment guidance.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25084
GHSA-264v-m8fm-76jm