CVE-2019-25072: 
NixOS vulnerability analysis and mitigation

CVE-2019-25072 is a vulnerability in the Tendermint client library that was discovered and disclosed in December 2022. The vulnerability affects versions of Tendermint before v0.31.1. The issue stems from the client's default support of Gzip compression in request bodies and unlimited response body sizes (NVD, Go Vuln DB).

The vulnerability exists in the HTTP client implementation where compression was enabled by default through the Transport configuration. The issue specifically affects the NewJSONRPCClient and NewURIClient functions in the github.com/tendermint/tendermint/rpc/lib/client package. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability allows a malicious server to cause a client to consume a significant amount of system resources through Gzip compression manipulation. This can be used as a denial of service vector, potentially making the affected system unresponsive (NVD, Go Vuln DB).

The vulnerability was patched in Tendermint version v0.31.1 by setting DisableCompression to true in the HTTP Transport configuration. The fix prevents potential GZIP-bomb DoS attacks by disabling compression support in the client (Tendermint Commit).