Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
AnalysisAI
Incorrect transaction broadcast failure detection in BSV Ruby SDK 0.1.0 through 0.8.1 allows unauthenticated remote attackers to manipulate application logic by exploiting incomplete ARC response validation. The SDK's BSV::Network::ARC module only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED status codes as failures, silently treating INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN-containing responses as successful broadcasts. Applications relying on broadcast confirmation for gating critical actions accept failed transactions as valid, enabling integrity compromise in blockchain-dependent workflows. No public exploit identified at time of analysis.
Technical ContextAI
Root cause stems from incomplete enumeration of failure conditions (CWE-754) in ARC transaction status parsing logic. The network broadcast handler implements a whitelist approach that only validates two explicit failure states, defaulting all unrecognized ARC protocol responses to success. This creates a logic gap where multiple legitimate failure statuses bypass detection, violating fail-secure principles in blockchain transaction validation workflows.
RemediationAI
Vendor-released patch: upgrade to BSV Ruby SDK version 0.8.2 or later, which implements comprehensive ARC response validation covering all documented failure states. The fix expands failure detection logic to correctly identify INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN status codes. Review application logic that depends on broadcast success confirmation to ensure proper error handling for previously misclassified failures. No workaround available for unpatched versions; applications using affected versions should prioritize immediate upgrade to prevent transaction validation bypass. Full technical details and patched code available in GitHub security advisory: https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx. Commit implementing fix: https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20994
GHSA-9hfr-gw99-8rhx