Skip to content

False-positive validity for NFT1 genesis transactions

Critical severity GitHub Reviewed Published Jul 29, 2020 in simpleledger/slp-validate.js • Updated Jan 9, 2023

Package

npm slp-validate (npm)

Affected versions

< 1.2.2

Patched versions

1.2.2

Description

Impact

In the npm package named "slp-validate", versions prior to 1.2.2 are vulnerable to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.

Patches

npm package "slp-validate" has been patched and is published and tagged as version 1.2.2.

Workarounds

Upgrade to slp-validate 1.2.2.

References

For more information

If you have any questions or comments about this advisory please open an issue in the slp-validate repository.

References

@jcramer jcramer published to simpleledger/slp-validate.js Jul 29, 2020
Reviewed Jul 30, 2020
Published to the GitHub Advisory Database Jul 30, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

0.071%
(32nd percentile)

Weaknesses

CVE ID

CVE-2020-15131

GHSA ID

GHSA-6jmr-jfh7-xg3h

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.