@walletconnect/utils is vulnerable to Improper Neutralization of CRLF Sequences (CRLF Injection)
59
Medium Risk
The formatMessage helper in @walletconnect/utils builds the SIWE/CAIP-122 message a user signs from the CACAO payload, embedding a caller-supplied or recap-derived statement field. Before the fix it inserts the statement into the line-delimited message without rejecting embedded carriage-return or line-feed characters, so a statement containing \r or \n can add extra lines that forge other signed fields such as URI or Nonce. validateSignedCacao also throws on such malformed payloads instead of treating them as invalid. The fix rejects statements containing line breaks after recap formatting and makes validateSignedCacao return false for these payloads.
You are affected if you are using a version that falls within the vulnerable range and your application formats or validates SIWE/CAIP-122 messages with an attacker-influenced statement or untrusted recap-derived text.
@walletconnect/utils is vulnerable to Improper Neutralization of CRLF Sequences (CRLF Injection) in versions 2.3.0 - 2.23.9.
Upgrade the @walletconnect/utils library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant