CVE-2020-5232 – @ensdomains/ens

Package

Manager: npm
Name: @ensdomains/ens
Vulnerable Version: >=0 <0.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00784 pctl0.72889

Details

Malicious takeover of previously owned ENS names ### Impact A user who owns an ENS domain can set a "trapdoor", allowing them to transfer ownership to another user, and later regain ownership without the new owner's consent or awareness. ### Patches A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry. The registry is newly deployed at [0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e](https://etherscan.io/address/0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e). ### Workarounds Do not accept transfers of ENS domains from other users on the old registrar.

Metadata

Created: 2020-01-30T23:55:04Z
Modified: 2022-09-21T19:32:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-8f9f-pc5v-9r5h/GHSA-8f9f-pc5v-9r5h.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-8f9f-pc5v-9r5h
Finding: F039
Auto approve: 1