Skip to content

Security Vulnerabilities Found #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xrdavies opened this issue Feb 11, 2025 · 0 comments
Open

Security Vulnerabilities Found #1

xrdavies opened this issue Feb 11, 2025 · 0 comments

Comments

@xrdavies
Copy link
Contributor

Security Vulnerabilities Found

During a security audit, we identified several vulnerabilities in our blockchain-related dependencies. These vulnerabilities don't affect the basic website functionality but should be addressed in future updates.

High Severity Issues

  1. WebSocket (ws) Package

    • Vulnerability: DoS when handling requests with many HTTP headers
    • Affected versions: 7.0.0 - 7.5.9 || 8.0.0 - 8.17.0
    • CVE: GHSA-3h5v-q93c-6h6q
    • Dependency path: viemws

  2. Viem Package

    • Uses vulnerable version of ws
    • Affected versions: <=0.0.0-wagmiv2-20230628182101 || 0.2.2 - 2.15.0

Low Severity Issues

  1. Elliptic Package
    • Multiple cryptographic vulnerabilities:
      • EDDSA missing signature length check
      • ECDSA missing check for leading bit of r and s
      • Allows BER-encoded signatures
      • Valid ECDSA signatures erroneously rejected
      • Verify function omits uniqueness validation
    • Affects multiple @ethersproject/* packages

Affected Dependencies

  • @seedao/sns-js and related packages
  • ethers (v5.7.2)
  • wagmi (v1.4.12)
  • @joyid/wagmi (v0.1.0)
  • Various @ethersproject/* packages

Required Actions

  1. Coordinate with SeeDAO Team

    • Update @seedao/sns-js and related packages to use latest versions of ethers and wagmi
    • Test updates thoroughly as they involve breaking changes

  2. Package Updates Needed

    • Update ethers to v6.13.5
    • Update wagmi to latest compatible version
    • Update viem to latest compatible version
    • Update or replace affected @ethersproject/* packages

  3. Testing Requirements

    • Test all blockchain interactions
    • Verify wallet connections still work
    • Test contract interactions
    • Test transaction signing and sending

Implementation Plan

  1. Create a new branch for dependency updates
  2. Update packages one at a time, starting with core dependencies
  3. Fix any breaking changes
  4. Test thoroughly in a staging environment
  5. Deploy to production after successful testing

Notes

  • These vulnerabilities are primarily in the blockchain interaction code
  • Basic website functionality and SEO are not affected
  • Updates should be coordinated with the SeeDAO team due to potential breaking changes

Related Links
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xrdavies