{"url":"http://public2.vulnerablecode.io/api/packages/1018239?format=json","purl":"pkg:gem/bsv-sdk@0.2.1","type":"gem","namespace":"","name":"bsv-sdk","version":"0.2.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.8.2","latest_non_vulnerable_version":"0.8.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51411?format=json","vulnerability_id":"VCID-b2b4-b1vc-uue2","summary":"bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts\n# ARC broadcaster treats failure statuses as successful broadcasts\n\n## Summary\n\n`BSV::Network::ARC`'s failure detection only recognises `REJECTED`\nand `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values\nof `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any\n`ORPHAN`-containing `extraInfo` / `txStatus` are silently treated\nas successful broadcasts. Applications that gate actions on broadcaster\nsuccess are tricked into trusting transactions that were never\naccepted by the network.\n\n## Details\n\n`lib/bsv/network/arc.rb` (lines ~74-100 in the affected code) uses a\nnarrow failure predicate compared to the TypeScript reference SDK.\nThe TS broadcaster additionally recognises:\n\n- `INVALID`\n- `MALFORMED`\n- `MINED_IN_STALE_BLOCK`\n- Any response containing `ORPHAN` in `extraInfo` or `txStatus`\n\nThe Ruby implementation omits all of these, so ARC responses\ncarrying any of these statuses are returned to the caller as\nsuccessful broadcasts.\n\nAdditional divergences in the same module compound the risk:\n\n- `Content-Type` is sent as `application/octet-stream`; the TS\n  reference sends `application/json` with a `{ rawTx: <hex> }`\n  body (EF form where source transactions are available).\n- The headers `XDeployment-ID`, `X-CallbackUrl`, and `X-CallbackToken`\n  are not sent.\n\nThe immediate security-relevant defect is the missing failure\nstatuses; the other divergences are fixed in the same patch for\nprotocol compliance.\n\n## Impact\n\nIntegrity: callers receive a success response for broadcasts that\nwere actually rejected by the ARC endpoint. Applications and\ndownstream gems that gate actions on broadcaster success — releasing\ngoods, marking invoices paid, treating a token as minted, progressing\na workflow — are tricked into trusting transactions that were never broadcast.\n\nThis is an integrity bug with security consequences. It does not\ndisclose information (confidentiality unaffected) and does not\naffect availability.\n\n## CVSS rationale\n\n`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` → **7.5 (High)**\n\n- **AV:N** — network-reachable.\n- **AC:L** — no specialised access conditions are required. Triggering\n  any of the unhandled failure statuses is not meaningfully harder\n  than broadcasting a transaction at all: a malformed or invalid\n  transaction, an orphan condition from a transient fork, or a\n  hostile/misbehaving ARC endpoint returning one of these statuses\n  is sufficient. The attacker does not need to defeat any mitigation\n  or race a specific window — the bug is that the code path doesn't\n  exist at all.\n- **PR:N** — no privileges required.\n- **UI:N** — no user interaction.\n- **C:N** — no confidentiality impact.\n- **I:H** — downstream integrity decisions are taken on\n  non-broadcast transactions.\n- **A:N** — no availability impact.\n\n## Affected versions\n\nThe ARC broadcaster was introduced in commit `a1f2e62` (\"feat(network):\nadd ARC broadcaster with injectable HTTP client\") on 2026-02-08 and\nfirst released in **v0.1.0**. The narrow failure predicate has been\npresent since introduction. Every release up to and including **v0.8.1**\nis affected.\n\nAffected range: `>= 0.1.0, < 0.8.2`.\n\n## Patches\n\nUpgrade to `bsv-sdk >= 0.8.2`. The fix:\n\n- Expands the failure predicate (`REJECTED_STATUSES` + `ORPHAN`\n  substring check on both `txStatus` and `extraInfo`) to include\n  `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, and any\n  orphan-containing response, matching the TypeScript reference.\n- Switches `Content-Type` to `application/json` with a `{ rawTx: <hex> }`\n  body, preferring Extended Format (BRC-30) hex when every input has\n  `source_satoshis` and `source_locking_script` populated and falling\n  back to plain raw-tx hex otherwise.\n- Adds support for the `XDeployment-ID` (default: random\n  `bsv-ruby-sdk-<hex>`), `X-CallbackUrl`, and `X-CallbackToken`\n  headers via new constructor keyword arguments.\n\nFixed in sgbett/bsv-ruby-sdk#306.\n\n### Note for `bsv-wallet` consumers\n\nThe sibling gem `bsv-wallet` (published from the same repository) is\nnot independently vulnerable — `lib/bsv/network/arc.rb` is not bundled\ninto the wallet gem's `files` list. However, `bsv-wallet` runtime-depends\non `bsv-sdk`, so a consumer of `bsv-wallet` that also invokes the\nARC broadcaster is transitively exposed whenever `Gemfile.lock`\nresolves to a vulnerable `bsv-sdk` version. `bsv-wallet >= 0.3.4`\ntightens its `bsv-sdk` constraint to `>= 0.8.2, < 1.0`, so upgrading\neither gem is sufficient to pull in the fix.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n- Verify broadcast results out-of-band (e.g. query a block explorer\n  or WhatsOnChain) before treating a transaction as broadcast.\n- Do not gate integrity-critical actions solely on the ARC\n  broadcaster's success response.\n\n## Credit\n\nIdentified during the 2026-04-08 cross-SDK compliance review,\ntracked as finding F5.13.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40069","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13787","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13697","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13667","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13752","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13791","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40069"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40069.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40069.yml"},{"reference_url":"https://github.com/sgbett/bsv-ruby-sdk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sgbett/bsv-ruby-sdk"},{"reference_url":"https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:11:39Z/"}],"url":"https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"},{"reference_url":"https://github.com/sgbett/bsv-ruby-sdk/issues/305","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:11:39Z/"}],"url":"https://github.com/sgbett/bsv-ruby-sdk/issues/305"},{"reference_url":"https://github.com/sgbett/bsv-ruby-sdk/pull/306","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:11:39Z/"}],"url":"https://github.com/sgbett/bsv-ruby-sdk/pull/306"},{"reference_url":"https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:11:39Z/"}],"url":"https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2"},{"reference_url":"https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:11:39Z/"}],"url":"https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40069","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40069"},{"reference_url":"https://github.com/advisories/GHSA-9hfr-gw99-8rhx","reference_id":"GHSA-9hfr-gw99-8rhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9hfr-gw99-8rhx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110195?format=json","purl":"pkg:gem/bsv-sdk@0.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bsv-sdk@0.8.2"}],"aliases":["CVE-2026-40069","GHSA-9hfr-gw99-8rhx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b2b4-b1vc-uue2"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/bsv-sdk@0.2.1"}