CVE-2024-41945
LOWSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 4 npm packages depend on @fuel-ts/account (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.93.0.
DescriptionCVE.org
fuels-ts is a library for interacting with Fuel v2. The typescript SDK has no awareness of to-be-spent transactions causing some transactions to fail or silently get pruned as they are funded with already used UTXOs. The problem occurs, because the fund function in fuels-ts/packages/account/src/account.ts gets the needed ressources statelessly with the function getResourcesToSpend without taking into consideration already used UTXOs. This issue will lead to unexpected SDK behaviour, such as a transaction not getting included in the txpool / in a block or a previous transaction silently getting removed from the txpool and replaced with a new one.
AnalysisAI
fuels-ts is a library for interacting with Fuel v2. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-20. fuels-ts is a library for interacting with Fuel v2. The typescript SDK has no awareness of to-be-spent transactions causing some transactions to fail or silently get pruned as they are funded with already used UTXOs. The problem occurs, because the fund function in fuels-ts/packages/account/src/account.ts gets the needed ressources statelessly with the function getResourcesToSpend without taking into consideration already used UTXOs. This issue will lead to unexpected SDK behaviour, such as a transaction not getting included in the txpool / in a block or a previous transaction silently getting removed from the txpool and replaced with a new one.
Affected ProductsAI
See vendor advisory for affected versions.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today