Skip to content

Critical severity vulnerability that affects slpjs

Critical severity GitHub Reviewed Published Nov 15, 2019 in simpleledger/slpjs • Updated Jan 9, 2023

Package

npm slpjs (npm)

Affected versions

< 0.21.4

Patched versions

0.21.4

Description

Validator parsing discrepancy due to string encoding

Impact

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus.

Patches

All versions > 0.21.3 are patched.

Workarounds

Upgrade to any version >= 0.21.4.

References

The bug was located and fixed here.

For more information

If you have any questions or comments about this advisory:

References

@jcramer jcramer published to simpleledger/slpjs Nov 15, 2019
Published to the GitHub Advisory Database Nov 15, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(45th percentile)

Weaknesses

CVE ID

CVE-2019-16762

GHSA ID

GHSA-425c-ccf3-3jrr

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.