CVE-2024-21669

Public Exploit
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC

Description

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.

Category

9.9
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.10%
Vendor Advisory github.com
Affected: hyperledger aries-cloudagent-python
Published at:
Updated at:

References

Link Tags
https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm exploit vendor advisory
https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293 patch
https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2 patch
https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5 release notes
https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0 release notes

Frequently Asked Questions

What is the severity of CVE-2024-21669?
CVE-2024-21669 has been scored as a critical severity vulnerability.
How to fix CVE-2024-21669?
To fix CVE-2024-21669, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-21669 being actively exploited in the wild?
It is possible that CVE-2024-21669 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-21669?
CVE-2024-21669 affects hyperledger aries-cloudagent-python.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.