Description
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
Remediation
References
https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js
https://github.com/iden3/snarkjs/tags
Related Vulnerabilities
CVE-2023-27902 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-3691 Vulnerability in npm package layui
CVE-2021-29060 Vulnerability in npm package color-string
CVE-2021-3189 Vulnerability in npm package slashify
CVE-2023-47321 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web