Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by alchemyplatform
CVE-2025-46834 (GCVE-0-2025-46834)
Vulnerability from cvelistv5 – Published: 2025-05-15 19:37 – Updated: 2025-05-19 14:42
VLAI
Title
Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook
Summary
Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/alchemyplatform/modular-accoun… | x_refsource_CONFIRM |
| https://github.com/alchemyplatform/modular-accoun… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| alchemyplatform | modular-account |
Affected:
= 2.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:41:50.807784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:42:13.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "modular-account",
"vendor": "alchemyplatform",
"versions": [
{
"status": "affected",
"version": "= 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Alchemy\u0027s Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don\u0027t check for the `executeUserOp` -\u003e `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:37:07.090Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv"
},
{
"name": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0"
}
],
"source": {
"advisory": "GHSA-jhp7-7cq9-m4pv",
"discovery": "UNKNOWN"
},
"title": "Alchemy\u0027s Modular Account can use executeUserOp to bypass allowlist prevalidation hook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46834",
"datePublished": "2025-05-15T19:37:07.090Z",
"dateReserved": "2025-04-30T19:41:58.135Z",
"dateUpdated": "2025-05-19T14:42:13.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46834 (GCVE-0-2025-46834)
Vulnerability from nvd – Published: 2025-05-15 19:37 – Updated: 2025-05-19 14:42
VLAI
Title
Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook
Summary
Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/alchemyplatform/modular-accoun… | x_refsource_CONFIRM |
| https://github.com/alchemyplatform/modular-accoun… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| alchemyplatform | modular-account |
Affected:
= 2.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:41:50.807784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:42:13.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "modular-account",
"vendor": "alchemyplatform",
"versions": [
{
"status": "affected",
"version": "= 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Alchemy\u0027s Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don\u0027t check for the `executeUserOp` -\u003e `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:37:07.090Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv"
},
{
"name": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0"
}
],
"source": {
"advisory": "GHSA-jhp7-7cq9-m4pv",
"discovery": "UNKNOWN"
},
"title": "Alchemy\u0027s Modular Account can use executeUserOp to bypass allowlist prevalidation hook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46834",
"datePublished": "2025-05-15T19:37:07.090Z",
"dateReserved": "2025-04-30T19:41:58.135Z",
"dateUpdated": "2025-05-19T14:42:13.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}