CVE-2025-29072

CVE-2025-29072 is an integer overflow vulnerability (CWE-190) in Nethermind Juno versions before v1.2.05, specifically within the Sierra bytecode decompression logic of the "cairo-lang-starknet-classes" library. This flaw affects Starknet full-node implementations running the vulnerable Juno client, enabling remote attackers to induce an infinite loop and excessive CPU usage upon processing malformed input. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial-of-service without requiring authentication or user interaction.

Any unauthenticated remote attacker with network access to a vulnerable Starknet full node can exploit this by submitting a specially crafted Declare v2 or v3 transaction. Successful exploitation triggers the integer overflow during bytecode decompression, causing the node to enter an infinite loop that consumes significant CPU resources and renders the node unresponsive, effectively denying service to legitimate users and potentially disrupting blockchain operations dependent on the affected full node.

Mitigation is addressed in the Nethermind Juno patch commit at https://github.com/NethermindEth/juno/commit/51074875941aa111c5dd2b41f2ec890a4a15b587, which resolves the issue in version v1.2.05 and later. The Starknet community advisory at https://community.starknet.io/t/starknet-security-update-potential-full-node-vulnerability-recap/115314 provides additional context on the vulnerability and recommends updating affected full-node implementations promptly to prevent exploitation.