CVE-2023-30543
`chainId` may be outdated if user changes chains as part of connection in @web3-react
Description
### Impact `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` *and* a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This is a common approach when using other foundational libraries like [`ethers`](https://github.com/ethers-io/ethers.js), and most users of v8 will want to upgrade past the affected versions. ### Patches Patched in https://github.com/Uniswap/web3-react/pull/749. Users of [email protected] should upgrade to at least: - @web3-react/coinbase-wallet@^8.0.35-beta.0 - @web3-react/eip1193@^8.0.27-beta.0 - @web3-react/metamask@^8.0.30-beta.0 - @web3-react/walletconnect@^8.0.37-beta.0 ### Workarounds N/A ### References N/A
How to fix CVE-2023-30543
To remediate CVE-2023-30543, upgrade the affected package to a fixed version below.
- —upgrade to 8.0.35-beta.0 or later
- —upgrade to 8.0.27-beta or later
- —upgrade to 8.0.30-beta.0 or later
- —upgrade to 8.0.37-beta.0 or later
Is CVE-2023-30543 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 6.0.0, < 8.0.35-beta.0
- >= 6.0.0, < 8.0.27-beta
- >= 6.0.0, < 8.0.30-beta.0
- >= 6.0.0, < 8.0.37-beta.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |