You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently use hashconnect version 0.2.9 (latest version is still beta), which has a peer dependency on crypto-js version 4.1.1. This version has critical vulnerabilities, and while we attempted to update to crypto-js version 4.2.0, we encountered the following error:
Uncaught (in promise) Error: Invalid encrypted text received. Decryption halted.
at SimpleCrypto3._decrypt (hashconnect.js?v=12f064f6:6815:19)
at SimpleCrypto3.decrypt (hashconnect.js?v=12f064f6:6856:25)
at MessageUtil.decrypt (hashconnect.js?v=12f064f6:7418:29)
at MessageUtil.decode (hashconnect.js?v=12f064f6:7395:31)
at Object.callback (hashconnect.js?v=12f064f6:7820:43)
at Event4.emit (hashconnect.js?v=12f064f6:116:20)
at WebSocketRelay.processMessage (hashconnect.js?v=12f064f6:6931:18)
at socket.onmessage (hashconnect.js?v=12f064f6:6979:12)
Expected Behavior
Updating crypto-js to version 4.2.0 should not break the decryption functionality in hashconnect.
Actual Behavior
When using the updated crypto-js, decryption fails with an "Invalid encrypted text" error.
Proposed Solution
Please investigate the compatibility issues between hashconnect and the newer version of crypto-js. Updating to the latest version should resolve the vulnerabilities and maintain functionality.
Summary of Vulnerabilities in crypto-js
Weaknesses in PBKDF2 Implementation:
Low Iteration Count: Defaults to a single iteration, drastically reducing security (1,000 times weaker than originally specified, 1,300,000 times weaker than current standards).
Insecure Hash Algorithm: Uses SHA-1, which has been considered insecure since 2005.
Potential Impacts:
High risk for password protection and digital signatures.
Attackers can create collisions or forge signatures using known prefixes, compromising confidentiality.
Affected Versions: All versions are impacted; the issue has existed since the library's inception.
The text was updated successfully, but these errors were encountered:
Description
We currently use
hashconnectversion0.2.9(latest version is still beta), which has a peer dependency oncrypto-jsversion4.1.1. This version has critical vulnerabilities, and while we attempted to update tocrypto-jsversion4.2.0, we encountered the following error:Expected Behavior
Updating
crypto-jsto version4.2.0should not break the decryption functionality inhashconnect.Actual Behavior
When using the updated
crypto-js, decryption fails with an "Invalid encrypted text" error.Proposed Solution
Please investigate the compatibility issues between
hashconnectand the newer version ofcrypto-js. Updating to the latest version should resolve the vulnerabilities and maintain functionality.Summary of Vulnerabilities in crypto-js
Weaknesses in PBKDF2 Implementation:
Potential Impacts:
The text was updated successfully, but these errors were encountered: