@okxweb3/crypto-lib using vulnerable packages

okx / js-wallet-sdk

Multi-chain typescript signature sdk, supports bitcoin, ethereum, solana, cosmos, etc.

https://okx.github.io/js-wallet-sdk/#/

MIT License

234 stars 87 forks source link

@okxweb3/crypto-lib using vulnerable packages #104

Closed jonatns closed 7 months ago

jonatns commented 7 months ago

Our recent security audit discovered that @okxweb3/crypto-lib which is used by @okxweb3/coin-bitcoin is using an outdated crypto-js version that has a critical vulnerability. Also, jsrsasign has a high severity vulnerability.

leverwwz commented 7 months ago

Our recent security audit discovered that @okxweb3/crypto-lib which is used by @okxweb3/coin-bitcoin is using an outdated crypto-js version that has a critical vulnerability. Also, jsrsasign has a high severity vulnerability.

@jonatns thanks for your issue, and we have analyse this, and the vulnerability of jsrsasign is about RSA, reference is https://github.com/advisories/GHSA-rh63-9qcf-83gf.

later we will update jsrsasign lib as soon as possible.