@walletconnect/core is vulnerable to Improper Verification of Data Authenticity
50
Medium Risk
The relay transport message handler in pairing.ts (registerRelayerEvents) processes inbound envelopes without checking the envelope type against the active transport. Plaintext TYPE_2 envelopes, which are only intended for link mode, are accepted and decoded on the standard relay path even though they carry no encryption or peer authentication. An attacker able to publish to a topic the client is subscribed to can deliver crafted plaintext payloads that the client treats as legitimate relay messages, enabling unauthenticated message injection and spoofing. The fix ignores TYPE_2 payloads received over the relay so they are only handled in link mode.
You are affected if you are using a version that falls within the vulnerable range.
@walletconnect/core is vulnerable to Improper Verification of Data Authenticity in versions 2.16.0 - 2.23.9.
Upgrade the @walletconnect/core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant