Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cGYzLTZmZ3ItM2czZ84AAy3P
`chainId` may be outdated if user changes chains as part of connection in @web3-react
Impact
chainId
may be outdated if the user changes chains as part of the connection flow. This means that the value of chainId
returned by useWeb3React()
may be incorrect. In an application, this means that any data derived from chainId
could be incorrect.
For example, if a swapping application derives a wrapped token contract address from the chainId
and a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This is a common approach when using other foundational libraries like ethers
, and most users of v8 will want to upgrade past the affected versions.
Patches
Patched in https://github.com/Uniswap/web3-react/pull/749.
Users of [email protected] should upgrade to at least:
- @web3-react/coinbase-wallet@^8.0.35-beta.0
- @web3-react/eip1193@^8.0.27-beta.0
- @web3-react/metamask@^8.0.30-beta.0
- @web3-react/walletconnect@^8.0.37-beta.0
Workarounds
N/A
References
N/A
Permalink: https://github.com/advisories/GHSA-8pf3-6fgr-3g3gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cGYzLTZmZ3ItM2czZ84AAy3P
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 6 months ago
CVSS Score: 5.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L
Identifiers: GHSA-8pf3-6fgr-3g3g, CVE-2023-30543
References:
- https://github.com/Uniswap/web3-react/security/advisories/GHSA-8pf3-6fgr-3g3g
- https://nvd.nist.gov/vuln/detail/CVE-2023-30543
- https://github.com/Uniswap/web3-react/pull/749
- https://github.com/advisories/GHSA-8pf3-6fgr-3g3g
Blast Radius: 14.1
Affected Packages
npm:@web3-react/walletconnect
Dependent packages: 108Dependent repositories: 280
Downloads: 61,482 last month
Affected Version Ranges: >= 6.0.0, < 8.0.37-beta.0
Fixed in: 8.0.37-beta.0
All affected versions:
All unaffected versions: 0.0.1, 4.0.4, 8.2.0, 8.2.2, 8.2.3
npm:@web3-react/metamask
Dependent packages: 145Dependent repositories: 515
Downloads: 114,262 last month
Affected Version Ranges: >= 6.0.0, < 8.0.30-beta.0
Fixed in: 8.0.30-beta.0
All affected versions:
All unaffected versions: 8.2.0, 8.2.1, 8.2.3, 8.2.4
npm:@web3-react/eip1193
Dependent packages: 90Dependent repositories: 298
Downloads: 69,040 last month
Affected Version Ranges: >= 6.0.0, < 8.0.27-beta.0
Fixed in: 8.0.27-beta
All affected versions:
All unaffected versions: 8.2.0, 8.2.2, 8.2.3
npm:@web3-react/coinbase-wallet
Dependent packages: 44Dependent repositories: 240
Downloads: 69,023 last month
Affected Version Ranges: >= 6.0.0, < 8.0.35-beta.0
Fixed in: 8.0.35-beta.0
All affected versions:
All unaffected versions: 8.2.0, 8.2.2, 8.2.3