Unauthenticated Remote Memory Exhaustion via Unbounded Timestamp Array
A flaw in Blockbook's fiat-rates lookups allowed a single unauthenticated request to consume a disproportionate amount of server memory, because the REST multi-tickers endpoint and the corresponding WebSocket method accepted a caller-supplied list of timestamps with no upper bound on its size. A single large request could allocate a substantial amount of heap, and because the WebSocket layer permitted many concurrent pending requests per connection with no global limit, one connection could sustain several gigabytes of allocation pressure. This could force an out-of-memory crash, which could leave the underlying database in an inconsistent state requiring a full reindex to recover. The fix bounds the number of timestamps accepted per request and limits concurrent in-flight work so a single connection can no longer drive unbounded memory use.
修正済みの脆弱性
- Unauthenticated Remote DoS via xpub Change-Index Amplification2026年5月19日
- Cross-Origin Popup Takeover in Trezor Connect popup2026年5月3日
- Solana ALT recipient confirmation mismatch2026年4月6日
- Solana account type misclassification2026年4月6日
- Reflected cross-site scripting (XSS) vulnerability on connect.trezor.io via hash fragment script injection2026年3月25日
- EIP-712 Domain Spoofing via Double-Fetch2026年3月21日