How the CVE Works:
This vulnerability exploits Unicode homograph characters in CryptoCoinJS base-x, a library for base encoding/decoding used in cryptocurrency addresses. Attackers substitute visually identical Unicode characters (e.g., Cyrillic ‘а’ vs. Latin ‘a’) to create fraudulent addresses that bypass validation. For example, a user intending to send funds to `1Bitcoin…` might instead send to `1Вitcoin…` (with a Cyrillic ‘В’), leading to irreversible theft. The library fails to normalize or detect these homographs during address encoding/decoding, enabling spoofing.
DailyCVE Form:
Platform: CryptoCoinJS base-x
Version: <=5.0.0, <=4.0.0, <=3.0.10
Vulnerability: Homograph bypass
Severity: Critical
Date: Apr 30, 2025
What Undercode Say:
Exploit:
1. Craft a malicious address using homoglyphs:
const fakeAddress = "1ВitcoinEaterAddress..." // Cyrillic 'В'
2. Encode the address using vulnerable base-x:
const encoded = basex.encode(fakeAddress); // Bypasses checks
Protection:
1. Upgrade to patched versions (5.0.1, 4.0.1, 3.0.11).
2. Implement Unicode normalization:
const normalized = address.normalize("NFKC"); // Converts homoglyphs
3. Use strict character whitelisting:
const isValid = /^[a-zA-Z0-9]+$/.test(address);
Analytics:
- Impact Score: 9.8 (CVSSv3)
- Attack Vector: Network-based
- Fix Diff:
</li> <li>const sanitized = input.normalize("NFKC");</li> <li>return basex.encode(input);
Detection Command:
grep -r "basex.encode" /path/to/code Find vulnerable usage
Mitigation Script:
function safeEncode(address) {
if (!address.normalize("NFKC").match(/^[a-z0-9]+$/i)) {
throw Error("Invalid characters");
}
return basex.encode(address);
}
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
