CVE-2020-5232 — Malicious takeover of previously owned ENS names

Description

### Impact A user who owns an ENS domain can set a "trapdoor", allowing them to transfer ownership to another user, and later regain ownership without the new owner's consent or awareness. ### Patches A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry. The registry is newly deployed at [0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e](https://etherscan.io/address/0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e). ### Workarounds Do not accept transfers of ENS domains from other users on the old registrar.

How to fix CVE-2020-5232

To remediate CVE-2020-5232, upgrade the affected package to a fixed version below.

—upgrade to 0.4.0 or later

Is CVE-2020-5232 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5232
WEBgithub.com/ensdomains/ens/commit/36e10e71fcddcade88646821e0a57cc6c19e1ecf
WEBgithub.com/ensdomains/ens/security/advisories/GHSA-8f9f-pc5v-9r5h