Summary
snarkjs versions <= 0.6.11 are affected by CVE-2023-33252 (High), a double-spend vulnerability. No patched version is currently available.
snarkjs versions through 0.6.11 contain a flaw in proof verification that may allow double-spend attacks in zero-knowledge proof applications. This could enable an attacker to submit multiple valid-appearing proofs for the same input, potentially leading to financial loss in DeFi or token applications.
Why This Is Deferred
No patched version exists upstream. The snarkjs maintainers have not yet released a fix.
Recommended Path Forward
- Monitor the snarkjs repository for a patched release
- Evaluate alternative ZK proof libraries if timeline is critical
- Implement application-level double-spend protections as a mitigation
Summary
snarkjs versions <= 0.6.11 are affected by CVE-2023-33252 (High), a double-spend vulnerability. No patched version is currently available.
CVE-2023-33252: Double Spend in snarkjs
snarkjs versions through 0.6.11 contain a flaw in proof verification that may allow double-spend attacks in zero-knowledge proof applications. This could enable an attacker to submit multiple valid-appearing proofs for the same input, potentially leading to financial loss in DeFi or token applications.
Why This Is Deferred
No patched version exists upstream. The snarkjs maintainers have not yet released a fix.
Recommended Path Forward