Description
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
Remediation
References
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags
Related Vulnerabilities
CVE-2021-41571 Vulnerability in maven package org.apache.pulsar:pulsar
CVE-2022-0350 Vulnerability in npm package vditor
CVE-2023-34149 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2023-38698 Vulnerability in npm package @ensdomains/ens-contracts
CVE-2023-25765 Vulnerability in maven package org.jenkins-ci.plugins:email-ext