المراجع

https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5

🟡 CVE-2026-42086

4.6/10 متوسطة

📦 openc3 🏢 openc3 📌 5.0.10, 5.0.11, 5.0.6, 5.0.7, 5.0.8 🌐 متصفح 💎 مكتبة Ruby RubyGems ⚡ XSS 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Summary The Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in t...

📅 2026-05-04 NVD 🔗 التفاصيل

الوصف الكامل

### Summary The Command Sender UI uses an unsafe `eval()` function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. ### Details The unsafe `eval()` usage on user-supplied ARRAY parameters happens in `convertToValue` method in [CommandSender.vue](https://github.com/OpenC3/cosmos/blob/main/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/src/tools/CommandSender/CommandSender.vue) ### PoC 1. Using a drop-down form, choose any command that supports ARRAY parameters, 2. Inside square brackets “[…]” place a JavaScript code to be executed 3. Send command to CmdTlmServer using dedicated “Send” button 4. Observe JavaScript code being executed in the current browser session context Below example uses `INST ARYCMD` to execute simple JavaScript code snippet `alert(“XSS”)`. <img width="947" height="356" alt="image" src="https://github.com/user-attachments/assets/6fbdb6c9-616a-4268-bbb8-a8a1044437ad" /> <img width="942" height="545" alt="image" src="https://github.com/user-attachments/assets/4df24353-aea0-4aa0-adcf-b7c7e387dc83" /> ### Impact Local JavaScript execution in the user's browser

الإصدارات المتأثرة

5.0.10, 5.0.11, 5.0.6, 5.0.7, 5.0.8

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

المراجع

https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x

🟡 CVE-2026-42085

4.3/10 متوسطة

📦 openc3 🏢 openc3 📌 5.0.10, 5.0.11, 5.0.6, 5.0.7, 5.0.8 📝 إدارة محتوى 💎 مكتبة Ruby RubyGems ⚡ Path Traversal 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Summary OpenC3 COSMOS contains a design flaw in the `save_tool_config()` function that allows saving tool configuration files at arbitrary locations inside the shared `/plugins` directory tree by supplying crafted configuration filenames. Although the implementation sufficien...

📅 2026-05-04 NVD 🔗 التفاصيل

الوصف الكامل

### Summary OpenC3 COSMOS contains a design flaw in the `save_tool_config()` function that allows saving tool configuration files at arbitrary locations inside the shared `/plugins` directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared `/plugins` directory. ### Details In function `save_tool_config()` ([local_mode.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/local_mode.rb#L452)) responsible for saving user-supplied tool configuration, the desired saving directory is not sufficiently enforced, instead allowing writes inside entire `OPENC3_LOCAL_MODE_PATH`. ### PoC 1. Navigate to any tool that enables “Save Configuration” option in left-hand drop-down menu (here Limits Monitor as an example) 2. Save a new config with path traversal name using “../” sequences to escape desired directory (up to 3 levels high) 3. Observe new files created in /plugins directory by inspecting docker container directly (`openc3-COSMOS-cmd-tlm-api`) or using Bucket Explorer (`plugin_default`) <img width="811" height="584" alt="image" src="https://github.com/user-attachments/assets/015a59b4-8b18-4801-aef0-df4831d5c1c3" /> <img width="720" height="664" alt="image" src="https://github.com/user-attachments/assets/8ca4a5b7-ee45-4c3b-99f6-f41f974a74a7" /> ### Impact Modifying the data of other plugins

الإصدارات المتأثرة

5.0.10, 5.0.11, 5.0.6, 5.0.7, 5.0.8

نوع الثغرة

CWE-23 — Path Traversal

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

المراجع

https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5
https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42
https://github.com/OpenC3/cosmos/releases/tag/v6.10.5
https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3
https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h

🟠 CVE-2026-42084

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

المراجع

https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
https://github.com/avo-hq/avo

🟠 CVE-2026-41316

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0
https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm

⚪ GHSA-3jfp-46x4-xgfj

غير محدد

📦 yard 📌 All versions < 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.3.2 ⛓️‍💥 هجوم سلسلة التوريد 💎 مكتبة Ruby RubyGems 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Impact A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch i...

📅 2026-04-17 OSV/RubyGems 🔗 التفاصيل

الوصف الكامل

### Impact A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr) was incorrectly applied. ### Patches Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on `--docroot`. ### Workarounds For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

الإصدارات المتأثرة

All versions < 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.3.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

المراجع

https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
https://github.com/lsegal/yard

⚪ CVE-2026-41493

غير محدد

📦 yard 📌 All versions < 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.3.2 ⛓️‍💥 هجوم سلسلة التوريد 💎 مكتبة Ruby RubyGems ⚡ Path Traversal 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Impact A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch i...

📅 2026-04-17 OSV/RubyGems 🔗 التفاصيل

الوصف الكامل

### Impact A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr) was incorrectly applied. ### Patches Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on `--docroot`. ### Workarounds For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

الإصدارات المتأثرة

All versions < 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.3.2

نوع الثغرة

CWE-22 — Path Traversal

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

المراجع

https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
https://github.com/lsegal/yard

🟢 CVE-2026-27820

1.7/10 منخفضة

📦 zlib, zlib, zlib 📌 >= 3.2.0, < 3.2.3, >= 3.1.0, < 3.1.2, < 3.0.1 📄 مكتبي 📦 مكتبة Ruby rubygems ⚡ Buffer Overflow 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Details A buffer overflow vulnerability exists in `Zlib::GzipReader`. The `zstream_buffer_ungets` function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the exi...

📅 2026-04-16 NVD 🔗 التفاصيل

الوصف الكامل

### Details A buffer overflow vulnerability exists in `Zlib::GzipReader`. The `zstream_buffer_ungets` function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. ### Recommended action We recommend to update the `zlib` gem to version 3.2.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.2 users: Update to zlib 3.0.1 * For Ruby 3.3 users: Update to zlib 3.1.2 You can use gem update zlib to update it. If you are using bundler, please add `gem "zlib", ">= 3.2.3"` to your Gemfile. ### Affected versions zlib gem 3.2.2 or lower ### Credits [calysteon](https://hackerone.com/calysteon) ### References * https://hackerone.com/reports/3467067

الإصدارات المتأثرة

>= 3.2.0, < 3.2.3, >= 3.1.0, < 3.1.2, < 3.0.1

نوع الثغرة

CWE-120 — Buffer Overflow

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

المراجع

https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm
https://github.com/boazsegev/facil.io

🟠 CVE-2026-40870

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

المراجع

https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9
https://github.com/advisories/GHSA-w5xj-99cg-rccm

🟢 GHSA-9pm8-vwc5-w2hm

منخفضة

📦 fat_free_crm 📌 All versions < 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4 📧 بريد 💎 مكتبة Ruby RubyGems 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Impact Authenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use. ### Patches Fixed in v0.26.0 ### Workarounds Disable use of email dropbox.

📅 2026-04-14 OSV/RubyGems 🔗 التفاصيل

الوصف الكامل

### Impact Authenticated users can delete emails imported into the system assigned to another user; where the [Email Dropbox](https://github.com/fatfreecrm/fat_free_crm/wiki/Email-Dropbox) is in use. ### Patches Fixed in v0.26.0 ### Workarounds Disable use of email dropbox.

الإصدارات المتأثرة

All versions < 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

المراجع

https://github.com/fatfreecrm/fat_free_crm/security/advisories/GHSA-9pm8-vwc5-w2hm
https://github.com/fatfreecrm/fat_free_crm

🔴 CVE-2026-23891

9.3/10 حرجة

📦 decidim-core, decidim-core 📌 >= 0.31.0.rc1, < 0.31.0, < 0.30.5 ⛓️‍💥 هجوم سلسلة التوريد 📦 مكتبة Ruby rubygems ⚡ XSS 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع 🔍 cyberschnaps

💬 ### Impact A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. #...

📅 2026-04-13 GitHub 🔗 التفاصيل

الوصف الكامل

### Impact A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. ### Patches N/A ### Workarounds Not available ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by [octree](https://octree.ch/) and made by [Secu Labs](https://seculabs.ch/) against Decidim financed by the city of Lausanne (Switzerland).

الإصدارات المتأثرة

>= 0.31.0.rc1, < 0.31.0, < 0.30.5

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
https://github.com/decidim/decidim/releases/tag/v0.30.5
https://github.com/decidim/decidim/releases/tag/v0.31.1
https://github.com/advisories/GHSA-fc46-r95f-hq7g

🟠 CVE-2026-40069

7.5/10 عالية

📦 bsv-sdk 📌 >= 0.1.0, < 0.8.2 ⛓️‍💥 هجوم سلسلة التوريد 📦 مكتبة Ruby rubygems ⚡ CWE-754 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع 🔍 sgbett

💬 # ARC broadcaster treats failure statuses as successful broadcasts ## Summary `BSV::Network::ARC`'s failure detection only recognises `REJECTED` and `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values of `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any `ORPHAN`...

📅 2026-04-09 GitHub 🔗 التفاصيل

الوصف الكامل

# ARC broadcaster treats failure statuses as successful broadcasts ## Summary `BSV::Network::ARC`'s failure detection only recognises `REJECTED` and `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values of `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any `ORPHAN`-containing `extraInfo` / `txStatus` are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. ## Details `lib/bsv/network/arc.rb` (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises: - `INVALID` - `MALFORMED` - `MINED_IN_STALE_BLOCK` - Any response containing `ORPHAN` in `extraInfo` or `txStatus` The Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts. Additional divergences in the same module compound the risk: - `Content-Type` is sent as `application/octet-stream`; the TS reference sends `application/json` with a `{ rawTx: <hex> }` body (EF form where source transactions are available). - The headers `XDeployment-ID`, `X-CallbackUrl`, and `X-CallbackToken` are not sent. The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance. ## Impact Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success — releasing goods, marking invoices paid, treating a token as minted, progressing a workflow — are tricked into trusting transactions that were never broadcast. This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability. ## CVSS rationale `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` → **7.5 (High)** - **AV:N** — network-reachable. - **AC:L** — no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window — the bug is that the code path doesn't exist at all. - **PR:N** — no privileges required. - **UI:N** — no user interaction. - **C:N** — no confidentiality impact. - **I:H** — downstream integrity decisions are taken on non-broadcast transactions. - **A:N** — no availability impact. ## Affected versions The ARC broadcaster was introduced in commit `a1f2e62` ("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in **v0.1.0**. The narrow failure predicate has been present since introduction. Every release up to and including **v0.8.1** is affected. Affected range: `>= 0.1.0, < 0.8.2`. ## Patches Upgrade to `bsv-sdk >= 0.8.2`. The fix: - Expands the failure predicate (`REJECTED_STATUSES` + `ORPHAN` substring check on both `txStatus` and `extraInfo`) to include `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, and any orphan-containing response, matching the TypeScript reference. - Switches `Content-Type` to `application/json` with a `{ rawTx: <hex> }` body, preferring Extended Format (BRC-30) hex when every input has `source_satoshis` and `source_locking_script` populated and falling back to plain raw-tx hex otherwise. - Adds support for the `XDeployment-ID` (default: random `bsv-ruby-sdk-<hex>`), `X-CallbackUrl`, and `X-CallbackToken` headers via new constructor keyword arguments. Fixed in sgbett/bsv-ruby-sdk#306. ### Note for `bsv-wallet` consumers The sibling gem `bsv-wallet` (published from the same repository) is not independently vulnerable — `lib/bsv/network/arc.rb` is not bundled into the wallet gem's `files` list. However, `bsv-wallet` runtime-depends on `bsv-sdk`, so a consumer of `bsv-wallet` that also invokes the ARC broadcaster is transitively exposed whenever `Gemfile.lock` resolves to a vulnerable `bsv-sdk` version. `bsv-wallet >= 0.3.4` tightens its `bsv-sdk` constraint to `>= 0.8.2, < 1.0`, so upgrading either gem is sufficient to pull in the fix. ## Workarounds If upgrading is not immediately possible: - Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast. - Do not gate integrity-critical actions solely on the ARC broadcaster's success response. ## Credit Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13. ## References - HLR: sgbett/bsv-ruby-sdk#305 - Fix PR: sgbett/bsv-ruby-sdk#306 - Compliance review: [`.architecture/reviews/20260408-cross-sdk-compliance-review.md`](../../.architecture/reviews/20260408-cross-sdk-compliance-review.md) - TypeScript reference: `ARC` class in `@bsv/sdk`

الإصدارات المتأثرة

>= 0.1.0, < 0.8.2

نوع الثغرة

CWE-754 — CWE-754

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

المراجع

https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx
https://nvd.nist.gov/vuln/detail/CVE-2026-40069
https://github.com/sgbett/bsv-ruby-sdk/issues/305
https://github.com/sgbett/bsv-ruby-sdk/pull/306
https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc
https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2
https://github.com/advisories/GHSA-9hfr-gw99-8rhx

🟠 CVE-2026-40070

8.1/10 عالية

📦 bsv-sdk, bsv-wallet 📌 >= 0.3.1, < 0.8.2, >= 0.1.2, < 0.3.4 ⛓️‍💥 هجوم سلسلة التوريد 📦 مكتبة Ruby rubygems ⚡ CWE-347 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع 🔍 sgbett

💬 # Unverified certifier signatures persisted by `acquire_certificate` ## Affected packages Both `bsv-sdk` and `bsv-wallet` are published from the [sgbett/bsv-ruby-sdk](https://github.com/sgbett/bsv-ruby-sdk) repository. The vulnerable code lives in `lib/bsv/wallet_interface/wall...

📅 2026-04-09 GitHub 🔗 التفاصيل

الوصف الكامل

# Unverified certifier signatures persisted by `acquire_certificate` ## Affected packages Both `bsv-sdk` and `bsv-wallet` are published from the [sgbett/bsv-ruby-sdk](https://github.com/sgbett/bsv-ruby-sdk) repository. The vulnerable code lives in `lib/bsv/wallet_interface/wallet_client.rb`, which is **physically shipped inside both gems** (the `bsv-wallet.gemspec` `files` list bundles the entire `lib/bsv/wallet_interface/` tree). Consumers of either gem are independently vulnerable; the two packages are versioned separately, so each has its own affected range. | Package | Affected | Patched | | --- | --- | --- | | `bsv-sdk` | `>= 0.3.1, < 0.8.2` | `0.8.2` | | `bsv-wallet` | `>= 0.1.2, < 0.3.4` | `0.3.4` | ## Summary `BSV::Wallet::WalletClient#acquire_certificate` persists certificate records to storage **without verifying the certifier's signature** over the certificate contents. Both acquisition paths are affected: - `acquisition_protocol: 'direct'` — the caller supplies all certificate fields (including `signature:`) and the record is written to storage verbatim. - `acquisition_protocol: 'issuance'` — the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to `list_certificates` and `prove_certificate`. ## Details BRC-52 requires a certificate's `signature` field to be verified against the claimed certifier's public key over a canonical hashing of `(type, subject, serialNumber, revocationOutpoint, fields)` before the certificate is trusted. The reference TypeScript SDK enforces this in `Certificate.verify()`. ### Direct path The Ruby implementation's `acquire_via_direct` path (`lib/bsv/wallet_interface/wallet_client.rb`) constructs the certificate record directly from caller-supplied fields: ```ruby def acquire_via_direct(args) { type: args[:type], subject: @key_deriver.identity_key, serial_number: args[:serial_number], certifier: args[:certifier], revocation_outpoint: args[:revocation_outpoint], signature: args[:signature], fields: args[:fields], keyring: args[:keyring_for_subject] } end ``` The returned record is then written to the storage adapter by `acquire_certificate`. No verification of `args[:signature]` against `args[:certifier]`'s public key occurs at any point in this path. ### Issuance path `acquire_via_issuance` POSTs to a certifier-supplied URL and parses the response body into a certificate record, which is then written to storage without verifying the returned signature. A hostile or compromised certifier endpoint — or anyone able to redirect/MITM the plain HTTP request — can therefore return an arbitrary `signature` value for any subject and have it stored as authentic. This is the same class of bypass as the direct path; it was tracked separately as finding **F8.16** in the compliance review and is closed by the same fix. ### Downstream impact Downstream reads via `list_certificates` and selective-disclosure via `prove_certificate` treat stored records as valid without re-verifying, so any forgery that slips past `acquire_certificate` is trusted permanently. ## Impact Any caller that can invoke `acquire_certificate` — via either acquisition protocol — can forge a certificate attributed to an arbitrary certifier identity key, containing arbitrary fields, and have it persisted as authentic. Applications and downstream gems that rely on the wallet's certificate store as a source of truth for identity attributes (e.g. KYC assertions, role claims, attestations) are subject to credential forgery. This is a credential-forgery primitive, not merely a spec divergence from BRC-52. ## CVSS rationale `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N` → **8.1 (High)** - **AV:N** — network-reachable in any wallet context that exposes `acquire_certificate` to callers. - **AC:L** — low attack complexity: pass arbitrary bytes as `signature:`. - **PR:L** — low privileges: any caller authorised to invoke `acquire_certificate`. - **UI:N** — no user interaction required. - **C:H** — forged credentials via `prove_certificate` can assert attributes about the subject. - **I:H** — the wallet's credential store is polluted with attacker-controlled data. - **A:N** — availability unaffected. ## Proof of concept ```ruby client = BSV::Wallet::WalletClient.new(key, storage: BSV::Wallet::MemoryStore.new) client.acquire_certificate( type: 'age-over-18', acquisition_protocol: 'direct', certifier: claimed_trusted_pubkey_hex, serial_number: 'any-serial', revocation_outpoint: ('00' * 32) + '.0', signature: 'deadbeef' * 16, # arbitrary bytes — never verified fields: { 'verified' => 'true' }, keyring_for_subject: {} ) client.list_certificates( certifiers: [claimed_trusted_pubkey_hex], types: ['age-over-18'] ) # => returns the forged record as if it were a real certificate from that certifier ``` ## Affected versions The vulnerable direct-path code was introduced in commit `d14dd19` ("feat(wallet): implement BRC-100 identity certificate methods (Phase 5)") on 2026-03-27 20:35 UTC. The vulnerable issuance-path code was added one day later in `6a4d898` ("feat(wallet): implement certificate issuance protocol", 2026-03-28 04:38 UTC), which removed an earlier `raise UnsupportedActionError` and replaced it with an unverified HTTP POST. **`bsv-sdk`:** the v0.3.1 chore bump (`89de3a2`) was committed 28 minutes after `d14dd19`, so the direct-path bypass shipped in the **v0.3.1** tag. The v0.3.1 release raised `UnsupportedActionError` for the issuance path, so the issuance-path bypass first shipped in **v0.3.2** (`5a335de`). Every subsequent release up to and including **v0.8.1** is affected by at least one path, and every release from v0.3.2 onwards is affected by both. Combined affected range: `>= 0.3.1, < 0.8.2`. **`bsv-wallet`:** at the time both commits landed, the wallet gem was at version 0.1.1. The first wallet release containing any of the vulnerable code was **v0.1.2** (`5a335de`, 2026-03-30), which shipped both paths simultaneously. Every subsequent release up to and including **v0.3.3** is affected on both paths. Affected range: `>= 0.1.2, < 0.3.4`. ## Patches Upgrade to `bsv-sdk >= 0.8.2` **and/or** `bsv-wallet >= 0.3.4`. Both releases ship the same fix: a new module `BSV::Wallet::CertificateSignature` (`lib/bsv/wallet_interface/certificate_signature.rb`), which builds the BRC-52 canonical preimage (`type`, `serial_number`, `subject`, `certifier`, `revocation_outpoint`, lexicographically-sorted `fields`) and verifies the certifier's signature against it via `ProtoWallet#verify_signature` with protocol ID `[2, 'certificate signature']` and counterparty = the claimed certifier's public key. Both `acquire_via_direct` and `acquire_via_issuance` now call `CertificateSignature.verify!` before returning the certificate to `acquire_certificate`, so invalid certificates raise `BSV::Wallet::CertificateSignature::InvalidError` (a subclass of `InvalidSignatureError`) and are never written to storage. Consumers should upgrade whichever gem they depend on directly; they do not need both. `bsv-wallet 0.3.4` additionally tightens its dependency on `bsv-sdk` from the stale `~> 0.4` to `>= 0.8.2, < 1.0`, which forces the known-good pairing and pulls in the sibling advisory fixes (F1.3, F5.13) tracked separately. The issuance-path fix also partially closes finding **F8.16** from the same compliance review. F8.16's second aspect — switching the issuance transport from ad-hoc JSON POST to BRC-104 AuthFetch — is not addressed here and remains deferred to a future release. Fixed in sgbett/bsv-ruby-sdk#306. ## Workarounds If upgrading is not immediately possible: - Do not expose `acquire_certificate` (either acquisition protocol) to untrusted callers. - Do not invoke `acquire_certificate` with `acquisition_protocol: 'issuance'` against a certifier URL you do not fully trust, and require TLS for any such request. - Treat any record returned by `list_certificates` / `prove_certificate` as unverified and perform an out-of-band BRC-52 verification against the certifier's public key before acting on it. ## Credit Identified during the 2026-04-08 cross-SDK compliance review, tracked as findings F8.15 (direct path) and F8.16 (issuance path, partial). ## References - HLR: sgbett/bsv-ruby-sdk#305 - Fix PR: sgbett/bsv-ruby-sdk#306 - Compliance review: [`.architecture/reviews/20260408-cross-sdk-compliance-review.md`](../../.architecture/reviews/20260408-cross-sdk-compliance-review.md) - BRC-52 specification: https://brc.dev/52 - TypeScript reference: `Certificate.verify()` in `@bsv/sdk`

الإصدارات المتأثرة

>= 0.3.1, < 0.8.2, >= 0.1.2, < 0.3.4

نوع الثغرة

CWE-347 — CWE-347

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

المراجع

https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j
https://nvd.nist.gov/vuln/detail/CVE-2026-40070
https://github.com/sgbett/bsv-ruby-sdk/issues/305
https://github.com/sgbett/bsv-ruby-sdk/pull/306
https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc
https://brc.dev/52
https://github.com/advisories/GHSA-hc36-c89j-5f4j

🔴 CVE-2026-39324

حرجة

📦 rack-session 📌 2.0.0, 2.1.0, 2.1.1 🌐 متصفح 💎 مكتبة Ruby RubyGems ⚡ Auth Bypass 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 `Rack::Session::Cookie` incorrectly handles decryption failures when configured with `secrets:`. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session coo...

📅 2026-04-08 OSV/RubyGems 🔗 التفاصيل

الوصف الكامل

`Rack::Session::Cookie` incorrectly handles decryption failures when configured with `secrets:`. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. ## Details When `secrets:` is configured, `Rack::Session::Cookie` attempts to decrypt incoming session cookies using one of the configured encryptors. If all decrypt attempts fail, the implementation does not reject the cookie. Instead, it falls back to decoding the cookie using a default coder. This fallback path processes attacker-controlled cookie data as trusted session state. The behavior is implicit and occurs even when encrypted cookies are expected. The fallback decoder is applied automatically and does not require the application to opt into a non-encrypted session format. As a result, a client can send a specially crafted cookie value that bypasses the intended integrity protections provided by `secrets:`. This issue affects both default configurations and those using alternative serializers for encrypted payloads. ## Impact Any Rack application using `Rack::Session::Cookie` with `secrets:` may be affected. > [!NOTE] > Rails applications are typically not affected — Rails uses `ActionDispatch::Session::CookieStore`, which is a separate implementation backed by `ActiveSupport::MessageEncryptor` and does not share the vulnerable code path. An unauthenticated attacker can supply a crafted session cookie that is accepted as valid session data. This can lead to authentication bypass or privilege escalation in applications that rely on session values for identity or authorization decisions. Depending on application behavior and available runtime components, processing of untrusted session data may also expose additional risks. ## Mitigation * Update to a patched version of`rack-session` that rejects cookies when decryption fails under the `secrets:` configuration. * After updating, rotate session secrets to invalidate existing session cookies, since attacker-supplied session data may have been accepted and re-issued prior to the fix.

الإصدارات المتأثرة

2.0.0, 2.1.0, 2.1.1

نوع الثغرة

CWE-287 — Auth Bypass

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

المراجع

https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq
https://nvd.nist.gov/vuln/detail/CVE-2026-39324
https://github.com/rack/rack-session

🟠 CVE-2026-35611

عالية

📦 addressable 📌 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6 🗄️ سيرفر 💎 مكتبة Ruby RubyGems ⚡ CWE-1333 🎯 عن بعد ⚪ لم تُستغل 🟢 ترقيع

💬 ### Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the `*` (explode) modifier with any expansion operator (e.g., `{foo*}`, `{+var*}`, `{#var*}`, `...

📅 2026-04-08 OSV/RubyGems 🔗 التفاصيل

الوصف الكامل

### Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the `*` (explode) modifier with any expansion operator (e.g., `{foo*}`, `{+var*}`, `{#var*}`, `{/var*}`, `{.var*}`, `{;var*}`, `{?var*}`, `{&var*}`) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. 2. Templates using multiple variables with the `+` or `#` operators (e.g., `{+v1,v2,v3}`) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0. Users of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected. ### Affected Versions This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0. The vulnerability is more exploitable on MRI Ruby < 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns. This has been confirmed on the following runtimes: | Runtime | Status | |---------|--------| | MRI Ruby 2.6 | Vulnerable | | MRI Ruby 2.7 | Vulnerable | | MRI Ruby 3.0 | Vulnerable | | MRI Ruby 3.1 | Vulnerable | | MRI Ruby 3.2 | Partially vulnerable | | MRI Ruby 3.3 | Partially vulnerable | | MRI Ruby 3.4 | Partially vulnerable | | MRI Ruby 4.0 | Partially vulnerable | | JRuby 10.0 | Vulnerable | | TruffleRuby 21.2 | Vulnerable | ### Workarounds - **Upgrade to MRI Ruby 3.2 or later**, if your application does not use JRuby or TruffleRuby. The Onigmo memoization introduced in MRI Ruby 3.2 prevents catastrophic backtracking from nested unbounded quantifiers (pattern 1 above — templates using the `*` modifier). It does not reliably mitigate the O(n^k) multi-variable case (pattern 2), so upgrading Ruby alone may not be sufficient if your templates use `{+v1,v2,...}` or `{#v1,v2,...}` syntax. - **Avoid using vulnerable template patterns** when matching user-supplied input on unpatched versions of the library: - Templates using the `*` (explode) modifier: `{foo*}`, `{+var*}`, `{#var*}`, `{.var*}`, `{/var*}`, `{;var*}`, `{?var*}`, `{&var*}` - Templates using multiple variables with the `+` or `#` operators: `{+v1,v2}`, `{#v1,v2,v3}`, etc. - **Apply a short timeout** around any call to `Template#match` or `Template#extract` that processes user-supplied data. ### References - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS - https://cwe.mitre.org/data/definitions/1333.html - https://www.regular-expressions.info/catastrophic.html ### Credits Discovered in collaboration with @jamfish. ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/sporkmonger/addressable/issues)

الإصدارات المتأثرة

2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6

نوع الثغرة

CWE-1333 — CWE-1333

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4
https://nvd.nist.gov/vuln/detail/CVE-2026-35611
https://github.com/sporkmonger/addressable

⚪ CVE-2026-35201

https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
https://nvd.nist.gov/vuln/detail/CVE-2026-32762
https://github.com/rack/rack

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة

CVSS Vector

المراجع

📊 إحصائيات المشروع

الوصف الكامل

الإصدارات المتأثرة

نوع الثغرة