Описание
Holder can generate proof of ownership for credentials it does not control in vp-toolkit
Impact
The verifyVerifiablePresentation() method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id DID matches the signer of the VP proof.
The verifier is impacted by this vulnerability.
Patches
Patch will be available in version 0.2.2.
Workarounds
- Compute the address out of the
verifiablePresentation.proof.n.verificationMethodusinggetAddressFromPubKey()fromcrypt-util@0.1.5and match it with thecredentialSubject.idaddress from the credential.
References
For more information
If you have any questions or comments about this advisory:
- Discuss in the existing issue
- Contact me
Пакеты
Наименование
vp-toolkit
npm
Затронутые версииВерсия исправления
< 0.2.2
0.2.2