Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for taiko-mono by taikoxyz

    CVE-2025-66559 (GCVE-0-2025-66559)

    Vulnerability from nvd – Published: 2025-12-04 22:23 – Updated: 2025-12-05 17:29
    VLAI
    Title
    Taiko Alethia Pacaya inbox verification pointer corruption
    Summary
    Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    References
    Impacted products
    Vendor Product Version
    taikoxyz taiko-mono Affected: <= 2.3.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-05T17:28:55.262649Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-05T17:29:01.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "taiko-mono",
              "vendor": "taikoxyz",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 2.3.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T22:23:55.608Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x"
            },
            {
              "name": "https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8"
            }
          ],
          "source": {
            "advisory": "GHSA-5mxh-r33p-6h5x",
            "discovery": "UNKNOWN"
          },
          "title": "Taiko Alethia Pacaya inbox verification pointer corruption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66559",
        "datePublished": "2025-12-04T22:23:55.608Z",
        "dateReserved": "2025-12-04T16:01:32.473Z",
        "dateUpdated": "2025-12-05T17:29:01.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66559 (GCVE-0-2025-66559)

    Vulnerability from cvelistv5 – Published: 2025-12-04 22:23 – Updated: 2025-12-05 17:29
    VLAI
    Title
    Taiko Alethia Pacaya inbox verification pointer corruption
    Summary
    Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    References
    Impacted products
    Vendor Product Version
    taikoxyz taiko-mono Affected: <= 2.3.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-05T17:28:55.262649Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-05T17:29:01.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "taiko-mono",
              "vendor": "taikoxyz",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 2.3.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T22:23:55.608Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x"
            },
            {
              "name": "https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8"
            }
          ],
          "source": {
            "advisory": "GHSA-5mxh-r33p-6h5x",
            "discovery": "UNKNOWN"
          },
          "title": "Taiko Alethia Pacaya inbox verification pointer corruption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66559",
        "datePublished": "2025-12-04T22:23:55.608Z",
        "dateReserved": "2025-12-04T16:01:32.473Z",
        "dateUpdated": "2025-12-05T17:29:01.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }