Common Weakness Enumeration

CWE-617

Allowed

Reachable Assertion

Abstraction: Base · Status: Draft

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

989 vulnerabilities reference this CWE, most recent first.

GHSA-C8W6-X74F-VMG3

Vulnerability from github – Published: 2026-07-02 19:37 – Updated: 2026-07-02 19:37
VLAI
Summary
zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
Details

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled).
  3. An attacker can authenticate to the RPC endpoint. With the default enable_cookie_auth = true, this requires the attacker to read the .cookie file (typically local access). With enable_cookie_auth = false, any network client reaching the RPC port can trigger it.

Summary

The z_listunifiedreceivers RPC handler panics when processing a structurally valid Unified Address whose Sapling receiver carries 43 bytes that fail cryptographic validation (sapling_crypto::PaymentAddress::from_bytes returns None for non-subgroup Jubjub points). The handler calls .expect("using data already decoded as valid") on the fallible result. Because Zebra's release profile sets panic = "abort", the panic terminates the entire node process, not just the RPC task.

Details

zcash_address::unified::Encoding::decode validates only the structural envelope of a Unified Address (F4Jumble, bech32m, typecode ordering, 43-byte length for Sapling). It does not validate that the embedded pk_d is a valid Jubjub subgroup point or that the diversifier produces a valid g_d preimage.

At zebra-rpc/src/methods.rs:2893, the handler calls Address::try_from_sapling(network, data), which delegates to sapling_crypto::PaymentAddress::from_bytes. When from_bytes returns None (most random 32-byte strings fail the subgroup check), the .expect() fires and the process aborts.

The same crate already handles this correctly in try_from_unified at zebra-chain/src/primitives/address.rs:99-110, which returns Err when from_bytes fails. The vulnerable code path bypasses this validated route.

Patches

zebra-rpc 8.0.0 and zebrad 4.5.0.

Replace .expect() with .map_err(|e| ErrorObject::owned(...)) for proper error propagation, or route through the existing try_from_unified path which already handles this case correctly.

Workarounds

  • Disable the RPC server by removing rpc.listen_addr from zebrad.toml.
  • Ensure enable_cookie_auth = true (the default) and restrict filesystem access to the .cookie file.
  • Place a reverse proxy in front of the RPC port that rejects z_listunifiedreceivers calls with untrusted address parameters.

Impact

A single authenticated RPC request terminates the zebrad process. The attack is repeatable on restart (the same request triggers the same abort), allowing an attacker to keep the node down indefinitely until the request is filtered upstream. Operators using lightwalletd backends, Zaino indexers, or mining pool infrastructure that forward RPC calls to zebrad may be exposed if the forwarding path passes through z_listunifiedreceivers.

Credit

Reported by @robustfengbin via a private GitHub Security Advisory submission.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-rpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248",
      "CWE-617",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T19:37:58Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your `zebrad.toml` sets `rpc.listen_addr` to a TCP address (RPC server is enabled).\n3. An attacker can authenticate to the RPC endpoint. With the default `enable_cookie_auth = true`, this requires the attacker to read the `.cookie` file (typically local access). With `enable_cookie_auth = false`, any network client reaching the RPC port can trigger it.\n\n### Summary\n\nThe `z_listunifiedreceivers` RPC handler panics when processing a structurally valid Unified Address whose Sapling receiver carries 43 bytes that fail cryptographic validation (`sapling_crypto::PaymentAddress::from_bytes` returns `None` for non-subgroup Jubjub points). The handler calls `.expect(\"using data already decoded as valid\")` on the fallible result. Because Zebra\u0027s release profile sets `panic = \"abort\"`, the panic terminates the entire node process, not just the RPC task.\n\n### Details\n\n`zcash_address::unified::Encoding::decode` validates only the structural envelope of a Unified Address (F4Jumble, bech32m, typecode ordering, 43-byte length for Sapling). It does not validate that the embedded `pk_d` is a valid Jubjub subgroup point or that the diversifier produces a valid `g_d` preimage.\n\nAt `zebra-rpc/src/methods.rs:2893`, the handler calls `Address::try_from_sapling(network, data)`, which delegates to `sapling_crypto::PaymentAddress::from_bytes`. When `from_bytes` returns `None` (most random 32-byte strings fail the subgroup check), the `.expect()` fires and the process aborts.\n\nThe same crate already handles this correctly in `try_from_unified` at `zebra-chain/src/primitives/address.rs:99-110`, which returns `Err` when `from_bytes` fails. The vulnerable code path bypasses this validated route.\n\n### Patches\n\nzebra-rpc 8.0.0 and zebrad 4.5.0.\n\nReplace `.expect()` with `.map_err(|e| ErrorObject::owned(...))` for proper error propagation, or route through the existing `try_from_unified` path which already handles this case correctly.\n\n### Workarounds\n\n- Disable the RPC server by removing `rpc.listen_addr` from `zebrad.toml`.\n- Ensure `enable_cookie_auth = true` (the default) and restrict filesystem access to the `.cookie` file.\n- Place a reverse proxy in front of the RPC port that rejects `z_listunifiedreceivers` calls with untrusted address parameters.\n\n### Impact\n\nA single authenticated RPC request terminates the `zebrad` process. The attack is repeatable on restart (the same request triggers the same abort), allowing an attacker to keep the node down indefinitely until the request is filtered upstream. Operators using `lightwalletd` backends, Zaino indexers, or mining pool infrastructure that forward RPC calls to `zebrad` may be exposed if the forwarding path passes through `z_listunifiedreceivers`.\n\n### Credit\n\nReported by `@robustfengbin` via a private GitHub Security Advisory submission.",
  "id": "GHSA-c8w6-x74f-vmg3",
  "modified": "2026-07-02T19:37:58Z",
  "published": "2026-07-02T19:37:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-c8w6-x74f-vmg3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/Cargo.toml#L305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-rpc/src/methods.rs#L2867-L2914"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers"
}

GHSA-C97C-HRFM-F3WC

Vulnerability from github – Published: 2022-01-21 00:00 – Updated: 2022-01-27 00:02
VLAI
Details

There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-20T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is an Assertion \u0027local_tza == ecma_date_local_time_zone_adjustment (date_value)\u0027 failed at /jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421 in JerryScript 3.0.0.",
  "id": "GHSA-c97c-hrfm-f3wc",
  "modified": "2022-01-27T00:02:24Z",
  "published": "2022-01-21T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46346"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jerryscript-project/jerryscript/issues/4939"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C9PJ-GF53-PG7P

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-01-05 00:02
VLAI
Details

A Denial of Service vulnerability exits in Binaryen 103 due to an assertion abort in wasm::handle_unreachable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Denial of Service vulnerability exits in Binaryen 103 due to an assertion abort in wasm::handle_unreachable.",
  "id": "GHSA-c9pj-gf53-pg7p",
  "modified": "2022-01-05T00:02:02Z",
  "published": "2021-12-22T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WebAssembly/binaryen/issues/4383"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKGCHPS7UAIOOBGSXDJAUFE5CROTTF6J"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YCWLB4PWYQO55F7IGNC7KUYN2MFZE3JP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C9R2-56CR-XPQG

Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:34
VLAI
Details

Transient DOS due to reachable assertion in modem while processing sib with incorrect values from network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T08:15:11Z",
    "severity": "HIGH"
  },
  "details": "Transient DOS due to reachable assertion in modem while processing sib with incorrect values from network.",
  "id": "GHSA-c9r2-56cr-xpqg",
  "modified": "2024-04-04T04:34:26Z",
  "published": "2023-06-06T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40538"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC8X-CHX9-C63Q

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process will terminate due to a failed assertion check. The vulnerability affects only BIND 9 releases 9.16.19, 9.17.16, and release 9.16.19-S1 of the BIND Supported Preview Edition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-18T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process will terminate due to a failed assertion check. The vulnerability affects only BIND 9 releases 9.16.19, 9.17.16, and release 9.16.19-S1 of the BIND Supported Preview Edition.",
  "id": "GHSA-cc8x-chx9-c63q",
  "modified": "2022-05-24T19:11:29Z",
  "published": "2022-05-24T19:11:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25218"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/v1/docs/cve-2021-25218"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZPJCLGSR4BTGFLBLGIE5TEQP2SNJKGVL"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210909-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/08/18/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/08/20/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CG96-Q9GQ-2PR7

Vulnerability from github – Published: 2023-11-02 15:30 – Updated: 2025-11-04 00:30
VLAI
Details

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-02T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.",
  "id": "GHSA-cg96-q9gq-2pr7",
  "modified": "2025-11-04T00:30:40Z",
  "published": "2023-11-02T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38469"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-38469"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191687"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00011.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJPH-QX8Q-WCX4

Vulnerability from github – Published: 2022-01-26 00:02 – Updated: 2022-01-28 00:02
VLAI
Details

There is an Assertion ''ecma_is_value_boolean (base_value)'' failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-25T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is an Assertion \u0027\u0027ecma_is_value_boolean (base_value)\u0027\u0027 failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0.",
  "id": "GHSA-cjph-qx8q-wcx4",
  "modified": "2022-01-28T00:02:34Z",
  "published": "2022-01-26T00:02:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jerryscript-project/jerryscript/issues/4876"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CMH2-2G79-CXCQ

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

The function "Token& Scanner::peek" in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a '!2' string.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-30T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The function \"Token\u0026 Scanner::peek\" in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a \u0027!2\u0027 string.",
  "id": "GHSA-cmh2-2g79-cxcq",
  "modified": "2022-05-13T01:25:07Z",
  "published": "2022-05-13T01:25:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11692"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jbeder/yaml-cpp/issues/519"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202007-14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPCX-WWW7-V9F3

Vulnerability from github – Published: 2024-10-28 15:31 – Updated: 2024-10-28 15:31
VLAI
Details

Reachable Assertion in BPv7 parser in µD3TN v0.14.0 allows attacker to disrupt service via malformed Extension Block

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T14:15:04Z",
    "severity": "HIGH"
  },
  "details": "Reachable Assertion in BPv7 parser in \u00b5D3TN v0.14.0 allows attacker to disrupt service via malformed Extension Block",
  "id": "GHSA-cpcx-www7-v9f3",
  "modified": "2024-10-28T15:31:16Z",
  "published": "2024-10-28T15:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10455"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/d3tn/ud3tn/-/issues/227"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPHR-J5F7-39X9

Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2024-09-09 15:30
VLAI
Details

The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-23T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.",
  "id": "GHSA-cphr-j5f7-39x9",
  "modified": "2024-09-09T15:30:36Z",
  "published": "2022-05-14T03:15:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9388"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mdadams/jasper/commit/411a4068f8c464e883358bf403a3e25158863823"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1208"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2016/11/16/jasper-multiple-assertion-failure"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1396962"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3693-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/11/17/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Mitigation
Implementation

Strategy: Input Validation

Perform input validation on user data.

No CAPEC attack patterns related to this CWE.