Tempo has released the critical security patch v1.5.1 to address a denial-of-service vulnerability in RPC endpoints, and all node operators are urged to upgrade immediately.

This week, we shipped Tempo v1.5.1, a critical security release. A denial-of-service (DoS) vulnerability was discovered in Tempo RPC endpoints that accept state overrides. It was found that a maliciously crafted payload sent to these endpoints could trigger unbounded memory allocation, causing the node to consume excessive resources and ultimately crash. This patch directly addresses the vulnerability by implementing stricter validation and resource limits on state override payloads, preventing the memory exhaustion attack vector. In addition to the critical security fix, v1.5.1 also includes a patch for an issue related to precompiles. While less severe, this bug could cause unexpected behavior or incorrect results when interacting with certain precompiled contracts, impacting dapps that rely on them. This fix ensures the correctness and reliability of precompile execution, contributing to overall network stability and providing a more predictable development environment. The immediate impact of this release is a significant enhancement to the security and resilience of the entire Tempo network. All RPC node operators are strongly advised to upgrade to v1.5.1 without delay. Failure to do so leaves nodes vulnerable to being taken offline by malicious actors, which could disrupt services and applications relying on them. Upgrading ensures your infrastructure is protected and contributes to the collective health and stability of the Tempo ecosystem.