Always-Incorrect Control Flow Implementation Affecting @solana/pay package, versions <0.2.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-SOLANAPAY-2964940
  • published2 Aug 2022
  • disclosed2 Aug 2022
  • creditcmowenby

Introduced: 2 Aug 2022

CVE-2022-35917  (opens in a new tab)
CWE-670  (opens in a new tab)

How to fix?

Upgrade @solana/pay to version 0.2.1 or higher.

Overview

@solana/pay is a @solana/pay is a JavaScript library for facilitating commerce on Solana by using a token transfer URL scheme. The URL scheme ensures that no matter the wallet or service used, the payment request must be created and interpreted in one standard way.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation via the validateTransfer function, due to an edge case causing the validation logic to validate multiple payment transfers.

References

CVSS Scores

version 3.1