CVE-2022-35917

Description

### Description When a Solana Pay transaction is located using a [reference key](https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference), it may be checked to represent a transfer of the desired amount to the recipient, using the supplied [`validateTransfer` function](https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts). An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. ### Impact Most known Solana Pay point of sale applications are currently run on physical point of sale devices, which makes this issue unlikely to occur. However, there may be web-based point of sale applications using the protocol where it may be more likely to occur. ### Patches This issue has been patched as of version [`0.2.1`](https://www.npmjs.com/package/@solana/pay/v/0.2.1). Users of the Solana Pay SDK should upgrade to it.

How to fix CVE-2022-35917

To remediate CVE-2022-35917, upgrade the affected package to a fixed version below.

• —upgrade to 0.2.1 or later

Is CVE-2022-35917 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.2.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-35917
• PATCHgithub.com/solana-labs/solana-pay
• WEBgithub.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts
• WEBgithub.com/solana-labs/solana-pay/blob/master/SPEC.md#reference