JFrog Security Research
< Back

XRAY-248681 - eth-account ReDoS

CVE-2022-1930 | CVSS 5.9

JFrog Severity:medium

Discovered ByDenys Vozniukof the JFrog Security Research Team

Published 11 Aug, 2022 | Last updated 11 Aug, 2022

Exponential ReDoS in eth-account leads to denial of service


eth-account (,0.5.9), fixed in 0.5.9

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the eth-account PyPI package, when an attacker is able to supply arbitrary input to the encode_structured_data method

        "types": {
                "EIP712Domain": [
                        {"name": "aaaa", "type": "$[11111111111111111111111110"},
                        {"name": "version", "type": "string"},
                        {"name": "chainId", "type": "uint256"},
                        {"name": "verifyingContract", "type": "address"}

No mitigations are supplied for this issue


< Back