CVE-2026-40069 (GCVE-0-2026-40069)

Vulnerability from cvelistv5 – Published: 2026-04-09 17:22 – Updated: 2026-04-13 20:11

Title

bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts

Summary

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/sgbett/bsv-ruby-sdk/security/a…	x_refsource_CONFIRM
	https://github.com/sgbett/bsv-ruby-sdk/issues/305	x_refsource_MISC
	https://github.com/sgbett/bsv-ruby-sdk/pull/306	x_refsource_MISC
	https://github.com/sgbett/bsv-ruby-sdk/commit/499…	x_refsource_MISC
	https://github.com/sgbett/bsv-ruby-sdk/releases/t…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sgbett	bsv-ruby-sdk	Affected: >= 0.1.0, < 0.8.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T20:11:39.186859Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T20:11:51.134Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bsv-ruby-sdk",
          "vendor": "sgbett",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 0.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC\u0027s failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T17:22:28.416Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx"
        },
        {
          "name": "https://github.com/sgbett/bsv-ruby-sdk/issues/305",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"
        },
        {
          "name": "https://github.com/sgbett/bsv-ruby-sdk/pull/306",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"
        },
        {
          "name": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"
        },
        {
          "name": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2"
        }
      ],
      "source": {
        "advisory": "GHSA-9hfr-gw99-8rhx",
        "discovery": "UNKNOWN"
      },
      "title": "bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40069",
    "datePublished": "2026-04-09T17:22:28.416Z",
    "dateReserved": "2026-04-09T00:39:12.204Z",
    "dateUpdated": "2026-04-13T20:11:51.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40069",
      "date": "2026-04-25",
      "epss": "0.00041",
      "percentile": "0.12372"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40069\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T18:17:03.043\",\"lastModified\":\"2026-04-13T15:02:27.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC\u0027s failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"references\":[{\"url\":\"https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sgbett/bsv-ruby-sdk/issues/305\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sgbett/bsv-ruby-sdk/pull/306\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40069\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T20:11:39.186859Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T20:11:45.553Z\"}}], \"cna\": {\"title\": \"bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts\", \"source\": {\"advisory\": \"GHSA-9hfr-gw99-8rhx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"sgbett\", \"product\": \"bsv-ruby-sdk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.1.0, \u003c 0.8.2\"}]}], \"references\": [{\"url\": \"https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx\", \"name\": \"https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sgbett/bsv-ruby-sdk/issues/305\", \"name\": \"https://github.com/sgbett/bsv-ruby-sdk/issues/305\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sgbett/bsv-ruby-sdk/pull/306\", \"name\": \"https://github.com/sgbett/bsv-ruby-sdk/pull/306\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc\", \"name\": \"https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2\", \"name\": \"https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC\u0027s failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-754\", \"description\": \"CWE-754: Improper Check for Unusual or Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T17:22:28.416Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40069\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T20:11:51.134Z\", \"dateReserved\": \"2026-04-09T00:39:12.204Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-09T17:22:28.416Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40069

Vulnerability from fkie_nvd - Published: 2026-04-09 18:17 - Updated: 2026-04-13 15:02

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc
	security-advisories@github.com	https://github.com/sgbett/bsv-ruby-sdk/issues/305
	security-advisories@github.com	https://github.com/sgbett/bsv-ruby-sdk/pull/306
	security-advisories@github.com	https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2
	security-advisories@github.com	https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC\u0027s failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2."
    }
  ],
  "id": "CVE-2026-40069",
  "lastModified": "2026-04-13T15:02:27.760",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-09T18:17:03.043",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-754"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-9HFR-GW99-8RHX

Vulnerability from github – Published: 2026-04-09 20:28 – Updated: 2026-04-09 20:28

Summary

bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts

Details

ARC broadcaster treats failure statuses as successful broadcasts

Summary

BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network.

Details

lib/bsv/network/arc.rb (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises:

INVALID
MALFORMED
MINED_IN_STALE_BLOCK
Any response containing ORPHAN in extraInfo or txStatus

The Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts.

Additional divergences in the same module compound the risk:

Content-Type is sent as application/octet-stream; the TS reference sends application/json with a { rawTx: <hex> } body (EF form where source transactions are available).
The headers XDeployment-ID, X-CallbackUrl, and X-CallbackToken are not sent.

The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance.

Impact

Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success — releasing goods, marking invoices paid, treating a token as minted, progressing a workflow — are tricked into trusting transactions that were never broadcast.

This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability.

CVSS rationale

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N → 7.5 (High)

AV:N — network-reachable.
AC:L — no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window — the bug is that the code path doesn't exist at all.
PR:N — no privileges required.
UI:N — no user interaction.
C:N — no confidentiality impact.
I:H — downstream integrity decisions are taken on non-broadcast transactions.
A:N — no availability impact.

Affected versions

The ARC broadcaster was introduced in commit a1f2e62 ("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in v0.1.0. The narrow failure predicate has been present since introduction. Every release up to and including v0.8.1 is affected.

Affected range: >= 0.1.0, < 0.8.2.

Patches

Upgrade to bsv-sdk >= 0.8.2. The fix:

Expands the failure predicate (REJECTED_STATUSES + ORPHAN substring check on both txStatus and extraInfo) to include INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and any orphan-containing response, matching the TypeScript reference.
Switches Content-Type to application/json with a { rawTx: <hex> } body, preferring Extended Format (BRC-30) hex when every input has source_satoshis and source_locking_script populated and falling back to plain raw-tx hex otherwise.
Adds support for the XDeployment-ID (default: random bsv-ruby-sdk-<hex>), X-CallbackUrl, and X-CallbackToken headers via new constructor keyword arguments.

Fixed in sgbett/bsv-ruby-sdk#306.

Note for `bsv-wallet` consumers

The sibling gem bsv-wallet (published from the same repository) is not independently vulnerable — lib/bsv/network/arc.rb is not bundled into the wallet gem's files list. However, bsv-wallet runtime-depends on bsv-sdk, so a consumer of bsv-wallet that also invokes the ARC broadcaster is transitively exposed whenever Gemfile.lock resolves to a vulnerable bsv-sdk version. bsv-wallet >= 0.3.4 tightens its bsv-sdk constraint to >= 0.8.2, < 1.0, so upgrading either gem is sufficient to pull in the fix.

Workarounds

If upgrading is not immediately possible:

Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast.
Do not gate integrity-critical actions solely on the ARC broadcaster's success response.

Credit

Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13.

References

HLR: sgbett/bsv-ruby-sdk#305
Fix PR: sgbett/bsv-ruby-sdk#306
Compliance review: .architecture/reviews/20260408-cross-sdk-compliance-review.md
TypeScript reference: ARC class in @bsv/sdk

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "bsv-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "0.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T20:28:26Z",
    "nvd_published_at": "2026-04-09T18:17:03Z",
    "severity": "HIGH"
  },
  "details": "# ARC broadcaster treats failure statuses as successful broadcasts\n\n## Summary\n\n`BSV::Network::ARC`\u0027s failure detection only recognises `REJECTED` and `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values of `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any `ORPHAN`-containing `extraInfo` / `txStatus` are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network.\n\n## Details\n\n`lib/bsv/network/arc.rb` (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises:\n\n- `INVALID`\n- `MALFORMED`\n- `MINED_IN_STALE_BLOCK`\n- Any response containing `ORPHAN` in `extraInfo` or `txStatus`\n\nThe Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts.\n\nAdditional divergences in the same module compound the risk:\n\n- `Content-Type` is sent as `application/octet-stream`; the TS reference sends `application/json` with a `{ rawTx: \u003chex\u003e }` body (EF form where source transactions are available).\n- The headers `XDeployment-ID`, `X-CallbackUrl`, and `X-CallbackToken` are not sent.\n\nThe immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance.\n\n## Impact\n\nIntegrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success \u2014 releasing goods, marking invoices paid, treating a token as minted, progressing a workflow \u2014 are tricked into trusting transactions that were never broadcast.\n\nThis is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability.\n\n## CVSS rationale\n\n`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` \u2192 **7.5 (High)**\n\n- **AV:N** \u2014 network-reachable.\n- **AC:L** \u2014 no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window \u2014 the bug is that the code path doesn\u0027t exist at all.\n- **PR:N** \u2014 no privileges required.\n- **UI:N** \u2014 no user interaction.\n- **C:N** \u2014 no confidentiality impact.\n- **I:H** \u2014 downstream integrity decisions are taken on non-broadcast transactions.\n- **A:N** \u2014 no availability impact.\n\n## Affected versions\n\nThe ARC broadcaster was introduced in commit `a1f2e62` (\"feat(network): add ARC broadcaster with injectable HTTP client\") on 2026-02-08 and first released in **v0.1.0**. The narrow failure predicate has been present since introduction. Every release up to and including **v0.8.1** is affected.\n\nAffected range: `\u003e= 0.1.0, \u003c 0.8.2`.\n\n## Patches\n\nUpgrade to `bsv-sdk \u003e= 0.8.2`. The fix:\n\n- Expands the failure predicate (`REJECTED_STATUSES` + `ORPHAN` substring check on both `txStatus` and `extraInfo`) to include `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, and any orphan-containing response, matching the TypeScript reference.\n- Switches `Content-Type` to `application/json` with a `{ rawTx: \u003chex\u003e }` body, preferring Extended Format (BRC-30) hex when every input has `source_satoshis` and `source_locking_script` populated and falling back to plain raw-tx hex otherwise.\n- Adds support for the `XDeployment-ID` (default: random `bsv-ruby-sdk-\u003chex\u003e`), `X-CallbackUrl`, and `X-CallbackToken` headers via new constructor keyword arguments.\n\nFixed in sgbett/bsv-ruby-sdk#306.\n\n### Note for `bsv-wallet` consumers\n\nThe sibling gem `bsv-wallet` (published from the same repository) is not independently vulnerable \u2014 `lib/bsv/network/arc.rb` is not bundled into the wallet gem\u0027s `files` list. However, `bsv-wallet` runtime-depends on `bsv-sdk`, so a consumer of `bsv-wallet` that also invokes the ARC broadcaster is transitively exposed whenever `Gemfile.lock` resolves to a vulnerable `bsv-sdk` version. `bsv-wallet \u003e= 0.3.4` tightens its `bsv-sdk` constraint to `\u003e= 0.8.2, \u003c 1.0`, so upgrading either gem is sufficient to pull in the fix.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n- Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast.\n- Do not gate integrity-critical actions solely on the ARC broadcaster\u0027s success response.\n\n## Credit\n\nIdentified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13.\n\n## References\n\n- HLR: sgbett/bsv-ruby-sdk#305\n- Fix PR: sgbett/bsv-ruby-sdk#306\n- Compliance review: [`.architecture/reviews/20260408-cross-sdk-compliance-review.md`](../../.architecture/reviews/20260408-cross-sdk-compliance-review.md)\n- TypeScript reference: `ARC` class in `@bsv/sdk`",
  "id": "GHSA-9hfr-gw99-8rhx",
  "modified": "2026-04-09T20:28:26Z",
  "published": "2026-04-09T20:28:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40069"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sgbett/bsv-ruby-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40069 (GCVE-0-2026-40069)

FKIE_CVE-2026-40069

GHSA-9HFR-GW99-8RHX

ARC broadcaster treats failure statuses as successful broadcasts

Summary

Details

Impact

CVSS rationale

Affected versions

Patches

Note for bsv-wallet consumers

Workarounds

Credit

References

Tags

Sightings

Nomenclature

Note for `bsv-wallet` consumers