{"id":"CVE-2023-34458","summary":"mx-chain-go's relayed transactions always increment nonce","details":"mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17.","aliases":["GHSA-j494-7x2v-vvvp","GO-2023-1912"],"modified":"2026-04-10T04:58:31.184305Z","published":"2023-07-13T18:45:03.499Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34458.json","cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14"},{"type":"WEB","url":"https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34458.json"},{"type":"ADVISORY","url":"https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34458"},{"type":"FIX","url":"https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/multiversx/mx-chain-go","events":[{"introduced":"0"},{"fixed":"babdb144f1316ab6176bf3dbd7d4621120414d43"}]}],"versions":["V1.0.6","V1.0.7","test-01","v.0.5","v1.0.1","v1.0.127","v1.0.128","v1.0.129","v1.0.13","v1.0.130","v1.0.131","v1.0.132","v1.0.133","v1.0.135","v1.0.136","v1.0.137","v1.0.138","v1.0.139","v1.0.14","v1.0.148","v1.0.150","v1.0.2","v1.0.25","v1.0.3","v1.0.4","v1.0.5","v1.0.6","v1.0.7","v1.0.8","v1.1.0","v1.1.1","v1.1.10","v1.1.11","v1.1.12","v1.1.13","v1.1.14","v1.1.15","v1.1.16","v1.1.17","v1.1.18","v1.1.19","v1.1.2","v1.1.20","v1.1.21","v1.1.22","v1.1.23","v1.1.24","v1.1.25","v1.1.26","v1.1.27","v1.1.28","v1.1.29","v1.1.3","v1.1.30","v1.1.31","v1.1.32","v1.1.33","v1.1.34","v1.1.35","v1.1.36","v1.1.37","v1.1.38","v1.1.4","v1.1.40","v1.1.41","v1.1.43","v1.1.47","v1.1.48","v1.1.49","v1.1.50","v1.1.51","v1.1.52","v1.1.53","v1.1.54","v1.1.55","v1.1.56","v1.1.57","v1.1.58","v1.1.59","v1.1.6","v1.1.60","v1.1.61","v1.1.62","v1.1.63","v1.1.64","v1.1.7","v1.1.8","v1.1.9","v1.2.10","v1.2.11","v1.2.12","v1.2.13","v1.2.14","v1.2.16","v1.2.17","v1.2.18","v1.2.19","v1.2.20","v1.2.22","v1.2.24","v1.2.25","v1.2.26","v1.2.27","v1.2.28","v1.2.29","v1.2.30","v1.2.31","v1.2.33","v1.2.34","v1.2.5","v1.3.10","v1.3.11","v1.3.12","v1.3.13","v1.3.14","v1.3.15","v1.3.16","v1.3.17","v1.3.17-rc1","v1.3.19-rc1","v1.3.19-rc2","v1.3.23-rc1","v1.3.3","v1.3.32","v1.3.33","v1.3.34","v1.3.35","v1.3.36","v1.3.4","v1.3.43","v1.3.44","v1.3.45","v1.3.46","v1.3.47","v1.3.48","v1.3.49","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.4.16"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34458.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"}]}