Unauthenticated Remote Memory Exhaustion via Unbounded Timestamp Array
A flaw in Blockbook's fiat-rates lookups allowed a single unauthenticated request to consume a disproportionate amount of server memory, because the REST multi-tickers endpoint and the corresponding WebSocket method accepted a caller-supplied list of timestamps with no upper bound on its size. A single large request could allocate a substantial amount of heap, and because the WebSocket layer permitted many concurrent pending requests per connection with no global limit, one connection could sustain several gigabytes of allocation pressure. This could force an out-of-memory crash, which could leave the underlying database in an inconsistent state requiring a full reindex to recover. The fix bounds the number of timestamps accepted per request and limits concurrent in-flight work so a single connection can no longer drive unbounded memory use.
Vyřešené zranitelnosti
- Unauthenticated Remote DoS via xpub Change-Index Amplification19. května 2026
- Cross-Origin Popup Takeover in Trezor Connect popup3. května 2026
- Reflected cross-site scripting (XSS) vulnerability on connect.trezor.io via hash fragment script injection25. března 2026
- EIP-712 Domain Spoofing via Double-Fetch21. března 2026
- Open redirect on affiliate page20. března 2026
- Biometric Verification bypassed in Trezor Suite with external monitor9. března 2026