Intel

AIKIDO-2026-540380

viem is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

45

Medium Risk

This Affects:

JSviem
0.1.0 - 2.53.1
Fixed in 2.54.0
Are you affected? Scan for Free

TL;DR

The fromRlp utility in viem decodes Recursive-Length Prefix (RLP) payloads by recursively walking each nested list through fromRlpCursor and readList. Before the fix this recursion had no depth limit, so an RLP payload built from many nested lists drives the decoder into unbounded recursion. Decoding untrusted RLP data such as serialized transactions or network responses can therefore exhaust the call stack and crash the decode operation or the surrounding process. The fix caps RLP decoding at a depth of 1024 and throws RlpDepthLimitExceededError once that limit is reached.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted RLP data to fromRlp or related helpers.

Background info

viem is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 2.53.1.

How to fix this

Upgrade the viem library to the patch version.