GHSA-33QR-M49Q-RXFX

Vulnerability from github – Published: 2025-04-22 18:57 – Updated: 2025-04-22 23:53
VLAI?
Summary
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2
Details

Impact

Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems.

Version 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions.

Patches

Upgrade to version 4.2.5 or 2.14.3.

Required Actions

To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys:

The XRP Ledger supports key rotation: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair

If any account's master key is potentially compromised, you should disable it: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair

References

https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xrpl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.1"
            },
            {
              "fixed": "4.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "xrpl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.2"
            },
            {
              "fixed": "2.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.14.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-22T18:57:48Z",
    "nvd_published_at": "2025-04-22T21:15:45Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nVersions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems.\n\nVersion 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions.\n\n### Patches\nUpgrade to version 4.2.5 or 2.14.3.\n\n### Required Actions\nTo secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys:\n\nThe XRP Ledger supports key rotation: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair\n\nIf any account\u0027s master key is potentially compromised, you should disable it: https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair\n\n### References\nhttps://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor",
  "id": "GHSA-33qr-m49q-rxfx",
  "modified": "2025-04-22T23:53:56Z",
  "published": "2025-04-22T18:57:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32965"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/XRPLF/xrpl.js"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor"
    },
    {
      "type": "WEB",
      "url": "https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair"
    },
    {
      "type": "WEB",
      "url": "https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.