Skip to main content

Bsv Ruby Sdk EUVDEUVD-2026-20994

| CVE-2026-40069 HIGH
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-04-09 GitHub_M GHSA-9hfr-gw99-8rhx
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 17:22 vuln.today
cvss_changed
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 18:15 euvd
EUVD-2026-20994
Analysis Generated
Apr 09, 2026 - 18:15 vuln.today
CVE Published
Apr 09, 2026 - 17:22 nvd
HIGH 7.5

DescriptionGitHub Advisory

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.

AnalysisAI

Incorrect transaction broadcast failure detection in BSV Ruby SDK 0.1.0 through 0.8.1 allows unauthenticated remote attackers to manipulate application logic by exploiting incomplete ARC response validation. The SDK's BSV::Network::ARC module only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED status codes as failures, silently treating INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN-containing responses as successful broadcasts. Applications relying on broadcast confirmation for gating critical actions accept failed transactions as valid, enabling integrity compromise in blockchain-dependent workflows. No public exploit identified at time of analysis.

Technical ContextAI

Root cause stems from incomplete enumeration of failure conditions (CWE-754) in ARC transaction status parsing logic. The network broadcast handler implements a whitelist approach that only validates two explicit failure states, defaulting all unrecognized ARC protocol responses to success. This creates a logic gap where multiple legitimate failure statuses bypass detection, violating fail-secure principles in blockchain transaction validation workflows.

RemediationAI

Vendor-released patch: upgrade to BSV Ruby SDK version 0.8.2 or later, which implements comprehensive ARC response validation covering all documented failure states. The fix expands failure detection logic to correctly identify INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN status codes. Review application logic that depends on broadcast success confirmation to ensure proper error handling for previously misclassified failures. No workaround available for unpatched versions; applications using affected versions should prioritize immediate upgrade to prevent transaction validation bypass. Full technical details and patched code available in GitHub security advisory: https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx. Commit implementing fix: https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc.

Share

EUVD-2026-20994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy