CVE-2023-30543 – @web3-react/coinbase-wallet

Package

Manager: npm
Name: @web3-react/coinbase-wallet
Vulnerable Version: >=6.0.0 <8.0.35-beta.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00037 pctl0.09964

Details

`chainId` may be outdated if user changes chains as part of connection in @web3-react ### Impact `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` *and* a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This is a common approach when using other foundational libraries like [`ethers`](https://github.com/ethers-io/ethers.js), and most users of v8 will want to upgrade past the affected versions. ### Patches Patched in https://github.com/Uniswap/web3-react/pull/749. Users of web3-react@8.0.x-beta.0 should upgrade to at least: - @web3-react/coinbase-wallet@^8.0.35-beta.0 - @web3-react/eip1193@^8.0.27-beta.0 - @web3-react/metamask@^8.0.30-beta.0 - @web3-react/walletconnect@^8.0.37-beta.0 ### Workarounds N/A ### References N/A

Metadata

Created: 2023-04-18T22:29:53Z
Modified: 2023-04-18T22:29:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-8pf3-6fgr-3g3g/GHSA-8pf3-6fgr-3g3g.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-8pf3-6fgr-3g3g
Finding: F124
Auto approve: 1