CVE-2023-6245: 
Rust vulnerability analysis and mitigation

CVE-2023-6245 affects the Candid library versions 0.9.0 through 0.9.10 and causes a Denial of Service vulnerability while parsing specially crafted payloads with 'empty' data type. The vulnerability was discovered and disclosed on December 8, 2023, affecting Rust-based canisters using the affected versions of Candid, while Motoko-based canisters remain unaffected (GHSA Advisory).

The vulnerability occurs when parsing a payload with format record { * ; empty } while the canister interface expects record { * }. The Rust Candid decoder incorrectly categorizes 'empty' as a recoverable error when skipping the field, resulting in an infinite decoding loop. This causes the decoding process to run indefinitely until the canister traps due to reaching the maximum instruction limit per execution round (GHSA Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, the vulnerability leads to degraded performance of the affected canister through repeated exposure to malicious payloads. The impact is particularly significant for asset canister users using dfx versions >= 0.14.4 to <= 0.15.2-beta.0, as these versions ship with an affected version of Candid (GHSA Advisory).

The vulnerability has been patched in Candid version 0.9.10. All Rust-based canisters using Candid versions >= 0.9.0 must upgrade to version >= 0.9.10 and deploy their canisters to mainnet. There are no workarounds available other than upgrading to the patched version (GHSA Advisory).