EUVD-2026-20994
GHSA-9hfr-gw99-8rhx
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
Analysis
Incorrect transaction broadcast failure detection in BSV Ruby SDK 0.1.0 through 0.8.1 allows unauthenticated remote attackers to manipulate application logic by exploiting incomplete ARC response validation. The SDK's BSV::Network::ARC module only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED status codes as failures, silently treating INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN-containing responses as successful broadcasts. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and services using BSV Ruby SDK and document current deployed versions; verify whether transaction broadcast responses are used for critical business logic decisions (payments, access control, fund transfers). Within 7 days: Contact BSV Ruby SDK maintainers for patch status and estimated release timeline; implement compensating control (see below) to validate all ARC response codes before accepting broadcast confirmation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today