FKIE_CVE-2025-69287

Vulnerability from fkie_nvd - Published: 2026-02-18 19:21 - Updated: 2026-02-19 15:53
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Summary
The BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps on the BSV Blockchain. Prior to version 2.0.0, a cryptographic vulnerability in the TypeScript SDK's BRC-104 authentication implementation caused incorrect signature data preparation, resulting in signature incompatibility between SDK implementations and potential authentication bypass scenarios. The vulnerability was located in the `Peer.ts` file of the TypeScript SDK, specifically in the `processInitialRequest` and `processInitialResponse` methods where signature data is prepared for BRC-104 mutual authentication. The TypeScript SDK incorrectly prepared signature data by concatenating base64-encoded nonce strings (`message.initialNonce + sessionNonce`) then decoding the concatenated base64 string (`base64ToBytes(concatenatedString)`). This produced ~32-34 bytes of signature data instead of the correct 64 bytes. BRC-104 authentication relies on cryptographic signatures to establish mutual trust between peers. When signature data preparation is incorrect, signatures generated by the TypeScript SDK don't match those expected by Go/Python SDKs; cross-implementation authentication fails; and an attacker could potentially exploit this to bypass authentication checks. The fix in version 2.0.0 ensures all SDKs now produce identical cryptographic signatures, restoring proper mutual authentication across implementations.
References
security-advisories@github.comhttps://github.com/bsv-blockchain/ts-sdk/commit/d8cf6930028372079d977138ae9eaa03ae2f50bb
security-advisories@github.comhttps://github.com/bsv-blockchain/ts-sdk/security/advisories/GHSA-vjpq-xx5g-qvmm
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps on the BSV Blockchain. Prior to version 2.0.0, a cryptographic vulnerability in the TypeScript SDK\u0027s BRC-104 authentication implementation caused incorrect signature data preparation, resulting in signature incompatibility between SDK implementations and potential authentication bypass scenarios. The vulnerability was located in the `Peer.ts` file of the TypeScript SDK, specifically in the `processInitialRequest` and `processInitialResponse` methods where signature data is prepared for BRC-104 mutual authentication. The TypeScript SDK incorrectly prepared signature data by concatenating base64-encoded nonce strings (`message.initialNonce + sessionNonce`) then decoding the concatenated base64 string (`base64ToBytes(concatenatedString)`). This produced ~32-34 bytes of signature data instead of the correct 64 bytes. BRC-104 authentication relies on cryptographic signatures to establish mutual trust between peers. When signature data preparation is incorrect, signatures generated by the TypeScript SDK don\u0027t match those expected by Go/Python SDKs; cross-implementation authentication fails; and an attacker could potentially exploit this to bypass authentication checks. The fix in version 2.0.0 ensures all SDKs now produce identical cryptographic signatures, restoring proper mutual authentication across implementations."
    },
    {
      "lang": "es",
      "value": "El SDK de BSV Blockchain es un SDK unificado de TypeScript para desarrollar aplicaciones escalables en la BSV Blockchain. Antes de la versi\u00f3n 2.0.0, una vulnerabilidad criptogr\u00e1fica en la implementaci\u00f3n de autenticaci\u00f3n BRC-104 del SDK de TypeScript caus\u00f3 una preparaci\u00f3n incorrecta de los datos de la firma, lo que result\u00f3 en incompatibilidad de firmas entre implementaciones de SDK y posibles escenarios de omisi\u00f3n de autenticaci\u00f3n. La vulnerabilidad se encontraba en el archivo \u0027Peer.ts\u0027 del SDK de TypeScript, espec\u00edficamente en los m\u00e9todos \u0027processInitialRequest\u0027 y \u0027processInitialResponse\u0027 donde se preparan los datos de la firma para la autenticaci\u00f3n mutua BRC-104. El SDK de TypeScript prepar\u00f3 incorrectamente los datos de la firma al concatenar cadenas nonce codificadas en base64 (\u0027message.initialNonce + sessionNonce\u0027) y luego decodificar la cadena base64 concatenada (\u0027base64ToBytes(concatenatedString)\u0027). Esto produjo ~32-34 bytes de datos de firma en lugar de los 64 bytes correctos. La autenticaci\u00f3n BRC-104 se basa en firmas criptogr\u00e1ficas para establecer confianza mutua entre pares. Cuando la preparaci\u00f3n de los datos de la firma es incorrecta, las firmas generadas por el SDK de TypeScript no coinciden con las esperadas por los SDK de Go/Python; la autenticaci\u00f3n entre implementaciones falla; y un atacante podr\u00eda potencialmente explotar esto para omitir las comprobaciones de autenticaci\u00f3n. La correcci\u00f3n en la versi\u00f3n 2.0.0 asegura que todos los SDK ahora produzcan firmas criptogr\u00e1ficas id\u00e9nticas, restaurando la autenticaci\u00f3n mutua adecuada entre implementaciones."
    }
  ],
  "id": "CVE-2025-69287",
  "lastModified": "2026-02-19T15:53:02.850",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-18T19:21:42.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bsv-blockchain/ts-sdk/commit/d8cf6930028372079d977138ae9eaa03ae2f50bb"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bsv-blockchain/ts-sdk/security/advisories/GHSA-vjpq-xx5g-qvmm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-573"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.