GMS-2019-66: Insecure Credential Storage in web3

May 30, 2019 (updated September 16, 2021)

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. No fix is currently available. Consider using an alternative module until a fix is made available.

References

github.com/advisories/GHSA-27v7-qhfv-rqq8
github.com/ethereum/web3.js/issues/2739
snyk.io/vuln/SNYK-JS-WEB3-174533
www.npmjs.com/advisories/877

Detect and mitigate GMS-2019-66 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →