Unauthenticated Remote DoS via xpub Change-Index Amplification
A flaw in Blockbook's xpub output-descriptor handling allowed a single unauthenticated HTTP request to trigger a disproportionately large amount of work, because the number of change indexes a caller could supply in a descriptor was not bounded. Each index expanded into a large set of address derivations and database lookups, and the results were stored in a global in-memory cache that had no size limit and retained entries for an hour. By sending a small number of crafted descriptors over time, an attacker could exhaust the server's memory and force an out-of-memory crash, which could leave the underlying database in an inconsistent state requiring a full reindex to recover. The fix bounds the work a single request can generate and limits the cache so that descriptor lookups can no longer accumulate unbounded memory.
Vulnerabilidades resolvidas
- Unauthenticated Remote Memory Exhaustion via Unbounded Timestamp Array19 de maio de 2026
- Cross-Origin Popup Takeover in Trezor Connect popup3 de maio de 2026
- Reflected cross-site scripting (XSS) vulnerability on connect.trezor.io via hash fragment script injection25 de março de 2026
- EIP-712 Domain Spoofing via Double-Fetch21 de março de 2026
- Open redirect on affiliate page20 de março de 2026
- Biometric Verification bypassed in Trezor Suite with external monitor9 de março de 2026