Home/CVE/The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For exa
CVE

CVE-2023-6245

The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For exa

The Candid library causes a Denial of Service while parsing a specially crafted payload with 'empty' data type. For example, if the payload is `record { *.

empty } and the canister interface expects record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop. Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.

HIGH · CVSS 7.5 EPSS 0.00131
Schedule remediation
  • SSVC automatable: yes - attacks can be scripted at scale
  • CVSS base score ≥ 7.0
Sigma rules0 YARA rules0

Weakness Classification

CWE-1288Improper Validation of Consistency within Input
CWE-168Improper Handling of Inconsistent Special Elements
CWE-20Improper Input Validation
CWE-835Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-835Loop with Unreachable Exit Condition ('Infinite Loop')

Affected Products & Versions

1
dfinity candid>= 0.9.0 and < 0.9.10

Affected Packages

1
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
crates.io candid HIGH fixed in 0.9.10

Scoring & Timeline

7.5
HIGH · CVSS v3.1 · 6b35d637-e00f-4228-858c-b20ad6e1d07b
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD08 Dec 2023 · 03:15 PM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC triage · cisa-vulnrichment
Exploitation
none
Automatable
yes
Technical impact
partial
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.
🔗

References & Sources

5
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://github.com/dfinity/candid/blob/master/spec/Candid.mdProduct
https://github.com/dfinity/candid/pull/478Patch
https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3jPatchThird Party Advisory
https://internetcomputer.org/docs/current/references/candid-refProduct
https://internetcomputer.org/docs/current/references/ic-interface-specProduct
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin