CVE-2024-50354

Name of the Vulnerable Software and Affected Versions: gnark versions 0.11.0 and earlier

Description: The issue is related to excessive memory allocation during the deserialization of Groth16 verification keys in gnark, leading to a denial of service (DoS). This can cause the program to crash with an "out of memory" error. The problem arises when the ReadFrom function is called to load a VerifyingKey from a file, and it allocates a large amount of memory based on the value of nbCommitments extracted from the deserialized file.

Recommendations: For gnark versions 0.11.0 and earlier, update to version 0.11.1 or later, which includes the fix for this issue. Alternatively, consider running key verification as a separate service that can halt the verification pipeline in case of an out-of-memory error when verification keys come from untrusted sources. As a temporary workaround, consider disabling the ReadFrom function for untrusted inputs until a patch is applied.