CVE-2019-16762 – slpjs

Package

Manager: npm
Name: slpjs
Vulnerable Version: >=0 <0.21.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00392 pctl0.59416

Details

Critical severity vulnerability that affects slpjs ## Validator parsing discrepancy due to string encoding ### Impact A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. ### Patches All versions > 0.21.3 are patched. ### Workarounds Upgrade to any version >= 0.21.4. ### References The bug was located and fixed [here](https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701). ### For more information If you have any questions or comments about this advisory: * Open an issue in the [slpjs repo](https://github.com/simpleledger/slpjs/issues) * Email us at [info@slp.cash](mailto:info@slp.cash)

Metadata

Created: 2019-11-15T23:10:35Z
Modified: 2021-01-08T19:57:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-425c-ccf3-3jrr/GHSA-425c-ccf3-3jrr.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-425c-ccf3-3jrr
Finding: F184
Auto approve: 1