Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmcmMtN21qMi01eGg5
Undefined Behavior in zencashjs
Versions of zencashjs prior to 1.2.0 may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses start with “zt” while a subset of mainnet P2SH addresses can also start with “zt”. The package interprets transactions sent to a “zt” P2SH address on mainnet as P2PKH transactions erroneously. Any funds sent to a mainnet P2SH multisignature address starting with “zt” will be sent to the wrong address and be lost.
Recommendation
Upgrade to version 1.2.0 or later.
Permalink: https://github.com/advisories/GHSA-xfrc-7mj2-5xh9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmcmMtN21qMi01eGg5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-xfrc-7mj2-5xh9
References:
- https://github.com/ZencashOfficial/zencashjs/commit/db01bd94b9f8a956d7835e934500eaa643f8bd13#diff-42d8d2088a96641b563b25ad908b0c0fR146
- https://www.npmjs.com/advisories/1035
- https://github.com/advisories/GHSA-xfrc-7mj2-5xh9
Blast Radius: 0.0
Affected Packages
npm:zencashjs
Dependent packages: 1Dependent repositories: 19
Downloads: 250 last month
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions:
All unaffected versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 2.0.1, 2.0.2, 2.1.0