Yesterday afternoon we received a report from Scott Bigelow at Amberdata that a specially constructed RPC call may be able to crash Parity Ethereum nodes (any version) who have manually enabled public-facing RPC. For versions 2.5.6-stable and 2.6.1-beta and earlier, trace_call RPC can be executed remotely by a third party.

Who’s affected?

Nodes who have manually enabled public-facing RPC are affected. Furthermore, we suspect that nodes who have manually enabled tracing may also be vulnerable. This means that primarily only public infrastructure setups are exposed. Regular users who have not changed these node setting are not impacted.

Who’s not affected?

By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version.

Fix available—update ASAP

Releases 2.5.7-stable and 2.6.2-beta are now available and fix this issue. Download them here.

Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC. Nodes with `--auto-update=all` flag set will receive the updates automatically.

By default, Parity Ethereum only listens to local loopback IP addresses. As a rule, we recommend never exposing unfiltered RPC interface to the internet, as it’s not needed unless running an infrastructure service.

Bug bounty program

Thanks to Scott Bigelow for reporting. As always, we welcome and reward bug findings as per our bug bounty program.