GHSA-3w94-vq2x-v5wr: ethereum does not check transaction malleability for EIP-2930, EIP-1559 and EIP-7702 transactions

July 2, 2025

Prior to ethereum crate v0.18.0, signature malleability (according to EIP-2) was only checked for “legacy” transactions, but not for EIP-2930, EIP-1559 and EIP-7702 transactions.

This is a specification deviation and therefore a high severity advisory if the ethereum crate is used for Ethereum mainnet. Note that signature malleability itself is not a security issue, and therefore if the ethereum crate is used on a single-implementation blockchain, it’s a low/informational severity advisory.

References

github.com/advisories/GHSA-3w94-vq2x-v5wr
github.com/rust-ethereum/ethereum
github.com/rust-ethereum/ethereum/pull/67
github.com/rust-ethereum/ethereum/security/advisories/GHSA-3w94-vq2x-v5wr

Code Behaviors & Features

Detect and mitigate GHSA-3w94-vq2x-v5wr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →