ghsa-33qr-m49q-rxfx
Vulnerability from github
Published
2025-04-22 18:57
Modified
2025-04-22 23:53
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2
Details

Impact

Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems.

Version 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions.

Patches

Upgrade to version 4.2.5 or 2.14.3.

Required Actions

To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys:

The XRP Ledger supports key rotation: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair

If any account's master key is potentially compromised, you should disable it: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair

References

https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xrpl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.1"
            },
            {
              "fixed": "4.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "xrpl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.2"
            },
            {
              "fixed": "2.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.14.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-22T18:57:48Z",
    "nvd_published_at": "2025-04-22T21:15:45Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nVersions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems.\n\nVersion 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions.\n\n### Patches\nUpgrade to version 4.2.5 or 2.14.3.\n\n### Required Actions\nTo secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys:\n\nThe XRP Ledger supports key rotation: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair\n\nIf any account\u0027s master key is potentially compromised, you should disable it: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair\n\n### References\nhttps://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor",
  "id": "GHSA-33qr-m49q-rxfx",
  "modified": "2025-04-22T23:53:56Z",
  "published": "2025-04-22T18:57:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32965"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/XRPLF/xrpl.js"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor"
    },
    {
      "type": "WEB",
      "url": "https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair"
    },
    {
      "type": "WEB",
      "url": "https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.