We use cookies on this site to enhance your user experience. By clicking Accept all, you agree to the use of all cookies. If you do not want to allow all types of cookies, click on Manage. If you only want to allow the technically necessary cookies, click on Reject all. For further information, please refer to our privacy policy.

Parity Logo

New Parity Ethereum update protects against RPC call vulnerability

Parity Technologies

Parity Technologies

Powering the decentralized Web @ Parity Technologies

August 28, 2019 in

1 min read

Yesterday afternoon we received a report from Scott Bigelow at Amberdata that a specially constructed RPC call may be able to crash Parity Ethereum nodes (any version) who have manually enabled public-facing RPC. For versions 2.5.6-stable and 2.6.1-beta and earlier, trace_call RPC can be executed remotely by a third party.

Who’s affected?

Nodes who have manually enabled public-facing RPC are affected. Furthermore, we suspect that nodes who have manually enabled tracing may also be vulnerable. This means that primarily only public infrastructure setups are exposed. Regular users who have not changed these node setting are not impacted.

Who’s not affected?

By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version.

Fix available—update ASAP

Releases 2.5.7-stable and 2.6.2-beta are now available and fix this issue. Download them here.

Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC. Nodes with `--auto-update=all` flag set will receive the updates automatically.

By default, Parity Ethereum only listens to local loopback IP addresses. As a rule, we recommend never exposing unfiltered RPC interface to the internet, as it’s not needed unless running an infrastructure service.

Bug bounty program

Thanks to Scott Bigelow for reporting. As always, we welcome and reward bug findings as per our bug bounty program.

Want to build the future of the web? We're hiring

More recent stories

We just released ink! 4.0!

February 08, 2023

We just released ink! 4.0!

Read More
Parity Leadership Update

October 21, 2022

Parity Leadership Update

Read More
How we created 50K Unique NFTs for Polkadot Decoded 2022 (in one month)

October 04, 2022

How we created 50K Unique NFTs for Polkadot Decoded 2022 (in ...

Read More

Join the discussion: