Buffer Overflow in bigint-buffer’s toBigIntLE() leads to DoS in @solana/spl-token

[muse0509]

Description:
Versions ≤1.1.5 of the [bigint-buffer](https://github.com/no2chem/bigint-buffer) package contain a buffer-overflow bug in the native toBigIntLE() binding. Because @solana/spl-token (via buffer-layout-utils) uses toBigIntLE() to deserialize token amounts, passing an invalid or non-Buffer argument can crash the Node.js process, resulting in a denial-of-service.

Steps to Reproduce:

1. Install a vulnerable setup:

   npm install @solana/spl-token@0.4.13 bigint-buffer@1.1.5

2. In Node.js (with native-bindings enabled), call for example:

   const { toBigIntLE } = require('bigint-buffer');
   toBigIntLE(null);  // invalid input

3. Observe the process crash with a segmentation fault or native addon error.

Actual Behavior:
Node.js process terminates unexpectedly due to a native buffer-overflow in toBigIntLE().

Expected Behavior:
Invalid inputs should throw a JavaScript-level TypeError (or similar) without crashing the process.

Environment:

• Node.js v16+ (with node-gyp build tooling)
• @solana/spl-token v0.4.13 (via @solana/buffer-layout-utils)
• bigint-buffer v1.1.5

Impact:
High severity (CVE-2025-3194 / GHSA-3gc7-fjrx-p6mg). An attacker controlling buffer-input data can trigger a DoS by crashing any service deserializing SPL Token amounts.

Suggested Mitigation:

1. Add a guard in toBigIntLE() (native addon) to validate Buffer.isBuffer(input) before dereferencing.
2. Fallback to the pure-JS implementation on invalid input rather than invoking the native binding.
3. Release patched versions of bigint-buffer, and bump @solana/web3.js / @solana/spl-token to depend on the fixed version.

References:

• GitHub Advisory: GHSA-3gc7-fjrx-p6mg
• CVE-2025-3194: https://nvd.nist.gov/vuln/detail/CVE-2025-3194
• Snyk Report: https://security.snyk.io/vuln/SNYK-JS-BIGINTBUFFER-3364597

Labels:
area/security severity/high needs-triage

---