Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 8 cargo packages depend on nimiq-blockchain (6 direct, 2 indirect)
Ecosystem-wide dependent count for version 0.2.0.
DescriptionGitHub Advisory
Impact
HistoryStore::put_historic_txns uses an assert! to enforce invariants about HistoricTransaction.block_number (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the history: &[HistoricTransaction] input passed into Blockchain::push_history_sync, and a malformed history list can violate these invariants and trigger a panic.
extend_history_sync calls this.history_store.add_to_history(..) before comparing the computed history root against the macro block header (block.history_root()), so the panic can happen before later rejection checks run.
Patches
The patch for this vulnerability is included as part of v1.3.0.
Workarounds
No known workarounds.
AnalysisAI
Denial of service in Nimiq Core's history synchronization allows remote peers to trigger a panic in HistoryStore::put_historic_txns by submitting malformed transaction history with block numbers violating invariant constraints. During history sync, the panic occurs before validation checks compare the computed history root against the macro block header, causing affected nodes to crash. The CVSS score of 5.3 reflects high availability impact but requires user interaction and high attack complexity to exploit.
Technical ContextAI
The vulnerability exists in the Nimiq blockchain consensus layer's history synchronization mechanism. The HistoryStore::put_historic_txns function uses Rust assert! macros to enforce that HistoricTransaction block numbers fall within the macro block being pushed and remain within the same epoch. During blockchain::push_history_sync, untrusted peer-supplied history data is processed by extend_history_sync, which calls history_store.add_to_history before performing cryptographic validation of the history root against the macro block header. The root cause (CWE-20: Improper Input Validation) stems from calling security-critical functions with unchecked invariant assumptions before defensive validation gates. This is a classic issue in systems programming where panics (Rust's unwind mechanism) can be weaponized to cause denial of service if triggered on adversarial input paths.
RemediationAI
Upgrade nimiq-blockchain to version 1.3.0 or later immediately. The vendor-released patch is available in v1.3.0 of nimiq/core-rs-albatross (https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0) and implements validation of HistoricTransaction invariants before calling add_to_history, preventing assertion panics on malformed peer input. The patch PR is available at https://github.com/nimiq/core-rs-albatross/pull/3656. For Rust projects depending on the nimiq-blockchain crate, update Cargo.toml to require version 1.3.0+ and run 'cargo update'. No workarounds exist; patching is the only mitigation. Validators and full nodes must upgrade their nimiq-core implementations to prevent denial of service during history sync with untrusted peers.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25064
GHSA-j99g-7rqw-q9jg