SCA: security update for @web3-react/coinbase-wallet, @web3-react/eip1193, @web3-react/metamask, @web3-react/walletconnect (GHSA-8pf3-6fgr-3g3g)

medium Tenable Self-Hosted Container Security Plugin ID 412782

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- @web3-react is a framework for building Ethereum Apps . In affected versions the `chainId` may be outdated
if the user changes chains as part of the connection flow. This means that the value of `chainId` returned
by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId`
could be incorrect. For example, if a swapping application derives a wrapped token contract address from
the `chainId` *and* a user has changed chains as part of their connection flow the application could cause
the user to send funds to the incorrect address when wrapping. This issue has been addressed in PR #749
and is available in updated npm artifacts. There are no known workarounds for this issue. Users are
advised to upgrade. (CVE-2023-30543)

See Also

https://github.com/advisories/GHSA-8pf3-6fgr-3g3g

Plugin Details

Severity: Medium

ID: 412782

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2023-30543

CVSS v3

Risk Factor: Medium

Base Score: 5.7

Temporal Score: 5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/18/2023

Vulnerability Publication Date: 4/17/2023

Reference Information

CVE: CVE-2023-30543

cwe: CWE-362