SCA: security update for @chainsafe/lodestar (GHSA-cvj7-5f3c-9vg9)

high Tenable Self-Hosted Container Security Plugin ID 414107

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0,
there is a possible consensus split given maliciously-crafted `AttesterSlashing` or `ProposerSlashing`
being included on-chain. Because the developers represent `uint64` values as native javascript `number`s,
there is an issue when those variables with large (greater than 2^53) `uint64` values are included on
chain. In those cases, Lodestar may view valid_`AttesterSlashing` or `ProposerSlashing` as invalid, due to
rounding errors in large `number` values. This causes a consensus split, where Lodestar nodes are forked
away from the main network. Similarly, Lodestar may consider invalid `ProposerSlashing` as valid, thus
including in proposed blocks that will be considered invalid by the network. Version 0.36.0 contains a fix
for this issue. As a workaround, use `BigInt` to represent `Slot` and `Epoch` values in `AttesterSlashing`
and `ProposerSlashing` objects. `BigInt` is too slow to be used in all `Slot` and `Epoch` cases, so one
may carefully use `BigInt` just where necessary for consensus. (CVE-2022-29219)

See Also

https://github.com/advisories/GHSA-cvj7-5f3c-9vg9

Plugin Details

Severity: High

ID: 414107

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-29219

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2022

Vulnerability Publication Date: 5/24/2022

Reference Information

CVE: CVE-2022-29219

cwe: CWE-190