Back to Vulnerability database

Corrupt RPC responses from remote daemon nodes can lead to transaction tracing

ID Submit date Publish date Author Score
1 10.26.2018 10.28.2018 Monero Hax123 5.6


When using a remote node, the Monero client relies on the node to provide information from the blockchain, in particular the public keys and transaction outputs corresponding to mixins that the client chooses by global index (gidx). The client selects a handful of gidxs, and passes these in a request to the “get_outs.bin” RPC endpoint. The client is generally designed to provide untraceability even against the untrusted remote node, e.g. by masking which index in the request is the real one being spent. However, if the remote node provides an invalid response then the client may end up inadvertently revealing information about the real gidx being spent. Vector: BVSS:1.1/B:N/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:L/AI:L