GHSA-xq4h-wqm2-668w: Babylon's BIP322 signature implementation is not fully compliant to the spec

November 24, 2025 (updated November 27, 2025)

The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the spec.

References

bips.dev/322
github.com/advisories/GHSA-xq4h-wqm2-668w
github.com/babylonlabs-io/babylon
github.com/babylonlabs-io/babylon/commit/6e8bdd328a47343fcd7ad98d1b0c7267860b019a
github.com/babylonlabs-io/babylon/security/advisories/GHSA-xq4h-wqm2-668w

Code Behaviors & Features

Detect and mitigate GHSA-xq4h-wqm2-668w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →