Reported

October 15, 2025

Issued

October 15, 2025

Package

alloy-dyn-abi (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#uncaught-panic

Aliases

• CVE-2025-62370
• GHSA-pgp9-98jm-wwq2

References

• https://github.com/alloy-rs/core/security/advisories/GHSA-pgp9-98jm-wwq2

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.8.26, <1.0.0
• >=1.4.1

Affected Functions

Version

alloy_dyn_abi::eip712::Resolver::encode_type

• <0.8.26
• >=1.0.0, <1.4.1

Description

An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().

Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.

The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.

There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.

Reported by Christian Reitter & Zeke Mostov from Turnkey.

Advisory available under CC0-1.0 license.