Intel

AIKIDO-2026-558594

@walletconnect/utils is vulnerable to Improper Neutralization of CRLF Sequences (CRLF Injection)

Improper Neutralization of CRLF Sequences (CRLF Injection) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

59

Medium Risk

This Affects:

JS@walletconnect/utils
2.3.0 - 2.23.9
Fixed in 2.23.10
Are you affected? Scan for Free

TL;DR

The formatMessage helper in @walletconnect/utils builds the SIWE/CAIP-122 message a user signs from the CACAO payload, embedding a caller-supplied or recap-derived statement field. Before the fix it inserts the statement into the line-delimited message without rejecting embedded carriage-return or line-feed characters, so a statement containing \r or \n can add extra lines that forge other signed fields such as URI or Nonce. validateSignedCacao also throws on such malformed payloads instead of treating them as invalid. The fix rejects statements containing line breaks after recap formatting and makes validateSignedCacao return false for these payloads.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application formats or validates SIWE/CAIP-122 messages with an attacker-influenced statement or untrusted recap-derived text.

Background info

@walletconnect/utils is vulnerable to Improper Neutralization of CRLF Sequences (CRLF Injection) in versions 2.3.0 - 2.23.9.

How to fix this

Upgrade the @walletconnect/utils library to the patch version.