CVE-2026-34067: CWE-617: Reachable Assertion in nimiq nimiq-transaction
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
AI Analysis
Technical Summary
The nimiq-transaction Rust library prior to version 1.3.0 contains a reachable assertion failure (CWE-617) in the HistoryTreeProof::verify function. Specifically, the code asserts that the lengths of two vectors, history and positions, are equal. If an attacker supplies a malformed inclusion proof with mismatched lengths via the peer-to-peer network, the assertion triggers a panic, causing the application to crash. This vulnerability arises because the proof object is derived from untrusted network data and is not safely validated before the assertion. The issue is resolved in nimiq-transaction version 1.3.0 by patching this assertion handling.
Potential Impact
An attacker controlling a malicious peer in the Nimiq network can send a crafted inclusion proof with mismatched lengths, triggering an assertion panic and crashing the application using nimiq-transaction versions before 1.3.0. This results in a denial of service (DoS) condition. There is no impact on confidentiality or integrity. The CVSS v3.1 base score is 3.1 (low severity), reflecting the limited impact and the requirement for user interaction and high attack complexity.
Mitigation Recommendations
Upgrade to nimiq-transaction version 1.3.0 or later, where the assertion panic is fixed. No known workarounds exist. Since this is a library vulnerability, users should update their dependencies accordingly to prevent crashes caused by malformed proofs from untrusted peers.
CVE-2026-34067: CWE-617: Reachable Assertion in nimiq nimiq-transaction
Description
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The nimiq-transaction Rust library prior to version 1.3.0 contains a reachable assertion failure (CWE-617) in the HistoryTreeProof::verify function. Specifically, the code asserts that the lengths of two vectors, history and positions, are equal. If an attacker supplies a malformed inclusion proof with mismatched lengths via the peer-to-peer network, the assertion triggers a panic, causing the application to crash. This vulnerability arises because the proof object is derived from untrusted network data and is not safely validated before the assertion. The issue is resolved in nimiq-transaction version 1.3.0 by patching this assertion handling.
Potential Impact
An attacker controlling a malicious peer in the Nimiq network can send a crafted inclusion proof with mismatched lengths, triggering an assertion panic and crashing the application using nimiq-transaction versions before 1.3.0. This results in a denial of service (DoS) condition. There is no impact on confidentiality or integrity. The CVSS v3.1 base score is 3.1 (low severity), reflecting the limited impact and the requirement for user interaction and high attack complexity.
Mitigation Recommendations
Upgrade to nimiq-transaction version 1.3.0 or later, where the assertion panic is fixed. No known workarounds exist. Since this is a library vulnerability, users should update their dependencies accordingly to prevent crashes caused by malformed proofs from untrusted peers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e92c8e19fe3cd2cdeac9a0
Added to database: 4/22/2026, 8:16:14 PM
Last enriched: 4/22/2026, 8:31:10 PM
Last updated: 4/22/2026, 10:37:12 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.