Buffer Overflow in bigint-buffer’s toBigIntLE() leads to DoS in @solana/spl-token #56
Description
Description:
Versions ≤1.1.5 of the [bigint-buffer](https://github.com/no2chem/bigint-buffer) package contain a buffer-overflow bug in the native toBigIntLE() binding. Because @solana/spl-token (via buffer-layout-utils) uses toBigIntLE() to deserialize token amounts, passing an invalid or non-Buffer argument can crash the Node.js process, resulting in a denial-of-service.
Steps to Reproduce:
-
Install a vulnerable setup:
npm install @solana/spl-token@0.4.13 bigint-buffer@1.1.5
-
In Node.js (with native-bindings enabled), call for example:
const { toBigIntLE } = require('bigint-buffer'); toBigIntLE(null); // invalid input
-
Observe the process crash with a segmentation fault or native addon error.
Actual Behavior:
Node.js process terminates unexpectedly due to a native buffer-overflow in toBigIntLE().
Expected Behavior:
Invalid inputs should throw a JavaScript-level TypeError (or similar) without crashing the process.
Environment:
- Node.js v16+ (with
node-gypbuild tooling) @solana/spl-tokenv0.4.13 (via@solana/buffer-layout-utils)bigint-bufferv1.1.5
Impact:
High severity (CVE-2025-3194 / GHSA-3gc7-fjrx-p6mg). An attacker controlling buffer-input data can trigger a DoS by crashing any service deserializing SPL Token amounts.
Suggested Mitigation:
- Add a guard in
toBigIntLE()(native addon) to validateBuffer.isBuffer(input)before dereferencing. - Fallback to the pure-JS implementation on invalid input rather than invoking the native binding.
- Release patched versions of
bigint-buffer, and bump@solana/web3.js/@solana/spl-tokento depend on the fixed version.
References:
- GitHub Advisory: GHSA-3gc7-fjrx-p6mg
- CVE-2025-3194: https://nvd.nist.gov/vuln/detail/CVE-2025-3194
- Snyk Report: https://security.snyk.io/vuln/SNYK-JS-BIGINTBUFFER-3364597
Labels:
area/security severity/high needs-triage