Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.
Recommendation
- Update to the fixed version of the chaincode runtime.
- Redact or remove existing logs that contain the TLS private key password.
- Change the TLS private key password.
Mitigation
Impacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.
AnalysisAI
TLS private key password exposure in Hyperledger fabric-chaincode-java (versions 2.3.1 through 2.5.9) leaks credentials to any local user with read access to chaincode server logs when the service runs in chaincode-as-a-service (CaaS) mode with TLS enabled. The fabric-chaincode-shim runtime logs the TLS private key password in plaintext at INFO level during server startup, classified under CWE-532. A local attacker who recovers the logged password and separately obtains the TLS private key file gains the material needed to impersonate the chaincode server, potentially intercepting or injecting chaincode communications. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
The affected component is the Maven artifact org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim (CPE: pkg:maven/org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim), which is the Java shim library enabling Hyperledger Fabric chaincode to communicate with the peer node. Chaincode-as-a-service (CaaS) is a Fabric deployment mode where chaincode runs as an external service rather than inside a managed Docker container, requiring a separate TLS-secured gRPC channel between the peer and the chaincode server. The root cause is CWE-532: Insertion of Sensitive Information into Log File - during server initialization, the shim logs its startup parameters including the TLS private key password (passphrase protecting the PKCS private key) at the default INFO log level, which is commonly retained in log aggregation systems, container stdout, or log files readable by operators and monitoring agents. Exploitation of the full impersonation scenario requires chaining the password disclosure with independent access to the encrypted private key file itself.
RemediationAI
The primary fix is upgrading the fabric-chaincode-shim Maven dependency to version 2.5.10 or later, as documented in the GitHub Security Advisory at https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r. After upgrading, rotate the TLS private key password and redact or purge any existing log archives (stdout captures, log aggregation indexes, container logs) that may contain the plaintext password from prior startups - those historical records remain a residual exposure even after patching. If an immediate upgrade is not feasible, the documented mitigation is to configure the chaincode server logging level to WARNING or higher, which suppresses INFO-level output and prevents the password from being written to new log entries; note that this mitigation does not remediate previously written logs and may reduce operational visibility into chaincode startup diagnostics. No other workarounds are identified in available data.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35139
GHSA-wg5x-3g47-v38r