CVE-2025-29072: 
NixOS vulnerability analysis and mitigation

An integer overflow vulnerability was discovered in Nethermind Juno before version 12.05, specifically affecting the Sierra bytecode decompression logic within the "cairo-lang-starknet-classes" library. The vulnerability was initially reported on November 23, 2024, by Guanxing Wen from CertiK and was publicly disclosed in March 2025. This vulnerability affects Starknet full-node implementations (Starknet Forum).

The vulnerability exists in the Sierra bytecode decompression logic when processing Declare v2/v3 transactions. The issue stems from an integer overflow condition that occurs during the processing of maliciously crafted transactions. The vulnerability received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue was classified under CWE-190 (Integer Overflow or Wraparound) (NVD).

When exploited, the vulnerability can trigger an infinite loop and high CPU usage in affected nodes, leading to a denial-of-service condition. While the Starknet sequencer remained unaffected due to stricter compiler build flags, full nodes were vulnerable to this attack, potentially disrupting their ability to process JSON-RPC requests and affecting the interaction between nodes and DApps (Starknet Forum).

The vulnerability has been patched in Nethermind Juno version 12.05 and later. The fix includes implementing strict overflow checks and additional guardrails around integer handling for each node. Node operators are strongly encouraged to update to the patched version and ensure proper overflow-checks flags are enabled during compilation (Github Commit).

The security community praised Starknet's swift response and transparent handling of the vulnerability. The incident highlighted the importance of uniform security configurations across all implementations and the need for defensive coding practices, particularly in systems handling untrusted inputs (Starknet Forum).