Description
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.6.11
References
Related Issues
- Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - CVE-2023-34092
- plotly.js prototype pollution vulnerability - CVE-2023-46308
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Follow Redirects improperly handles URLs in the url.parse() function - CVE-2023-26159
- Tags:
- npm
- snarkjs
Anything's wrong? Let us know Last updated on January 21, 2025