GHSA-rqr8-pxh7-cq3g: 
Python vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability was discovered in the Ethereum ABI decoder affecting eth-abi package versions below 4.2.0. The vulnerability (GHSA-rqr8-pxh7-cq3g) was published on November 23, 2023, and involves the parsing of Zero-Sized Types (ZST) which can lead to potential DoS attacks in server systems. The issue was identified by Trail of Bits and affects the official eth-abi library (GitHub Advisory).

The vulnerability stems from the Ethereum ABI specification's allowance of Zero-Sized Types (ZST). When parsing an array of ZST, the decoder attempts to process as many ZST elements as specified in the byte array. The issue occurs because while ZST takes zero bytes when stored, it occupies memory during parsing. The vulnerability can be demonstrated using a payload of two 32-byte blocks that describe a serialized array of ZST, where the first block defines an offset to the array's elements and the second block defines the array length. The vulnerability has been assigned a CVSS score of 4.3 (Moderate) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability can cause denial-of-service conditions in server systems through excessive memory consumption. When processing malicious payloads, the system will attempt to allocate memory for a large number of elements, potentially leading to system hangs and out-of-memory errors (GitHub Advisory).

The vulnerability has been patched in version 4.2.0 of the eth-abi package. The recommended remediation is to disallow the parsing of Zero-Sized Types completely. Users should upgrade to version 4.2.0 or later to address this vulnerability (GitHub Advisory).