@walletconnect/sign-client is vulnerable to Improper Authorization
65
Medium Risk
The Sign engine processes incoming wc_sessionUpdate requests in onSessionUpdateRequest without verifying that the sending peer is the session controller. A non-controller peer in an established session, such as a dApp using a custom SDK, can send a session update and mutate the stored session namespaces it was never authorized to change. The public update() method likewise does not restrict callers to the controller. The fix rejects wc_sessionUpdate from non-controller peers with UNAUTHORIZED_UPDATE_REQUEST and makes update() throw when invoked by a non-controller.
You are affected if you are using a version that falls within the vulnerable range.
@walletconnect/sign-client is vulnerable to Improper Authorization in versions 2.0.0 - 2.23.9.
Upgrade the @walletconnect/sign-client library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant