Hyperledger
Products
9- 6 CVEs
- 5 CVEs
- 4 CVEs
- Ursa3 CVEscargo
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
Recent CVEs
20| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41586 | Cri | 0.60 | — | 0.00 | May 7, 2026 | Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on… | ||
| CVE-2025-30147 | Hig | 0.50 | — | 0.00 | May 7, 2025 | Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles… | ||
| CVE-2018-3756 | Hig | 0.49 | 7.5 | 0.01 | Jun 1, 2018 | Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other… | ||
| CVE-2026-45581 | Med | 0.29 | 5.5 | 0.00 | Jun 8, 2026 | fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS… | ||
| CVE-2015-20112 | Low | 0.15 | 3.4 | 0.00 | Jun 29, 2025 | RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network. | ||
| CVE-2024-22192 | 0.00 | — | 0.00 | Jan 16, 2024 | Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be… | |||
| CVE-2024-21670 | 0.00 | — | 0.00 | Jan 16, 2024 | Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a… | |||
| CVE-2022-31021 | 0.00 | — | 0.00 | Jan 16, 2024 | Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key… | |||
| CVE-2024-21669 | 0.00 | — | 0.01 | Jan 11, 2024 | Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of… | |||
| CVE-2023-46132 | 0.00 | — | 0.01 | Nov 14, 2023 | Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a… | |||
| CVE-2022-45196 | 0.00 | — | 0.01 | Nov 12, 2022 | Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist. | |||
| CVE-2022-36025 | 0.00 | — | 0.01 | Sep 24, 2022 | Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including… | |||
| CVE-2022-31006 | 0.00 | — | 0.01 | Sep 9, 2022 | indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its… | |||
| CVE-2022-31020 | 0.00 | — | 0.02 | Sep 6, 2022 | Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The… | |||
| CVE-2022-36023 | 0.00 | — | 0.01 | Aug 18, 2022 | Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway… | |||
| CVE-2022-31121 | 0.00 | — | 0.02 | Jul 7, 2022 | Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and… | |||
| CVE-2021-41272 | 0.00 | — | 0.01 | Dec 13, 2021 | Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart… | |||
| CVE-2021-21369 | 0.00 | — | 0.01 | Mar 9, 2021 | Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API… | |||
| CVE-2020-11093 | 0.00 | — | 0.01 | Dec 24, 2020 | Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized… | |||
| CVE-2020-11090 | 0.00 | — | 0.02 | Jun 11, 2020 | In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential… |
- risk 0.60cvss —epss 0.00
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on…
- risk 0.50cvss —epss 0.00
Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles…
- risk 0.49cvss 7.5epss 0.01
Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other…
- risk 0.29cvss 5.5epss 0.00
fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS…
- risk 0.15cvss 3.4epss 0.00
RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network.
- CVE-2024-22192Jan 16, 2024risk 0.00cvss —epss 0.00
Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be…
- CVE-2024-21670Jan 16, 2024risk 0.00cvss —epss 0.00
Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a…
- CVE-2022-31021Jan 16, 2024risk 0.00cvss —epss 0.00
Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key…
- CVE-2024-21669Jan 11, 2024risk 0.00cvss —epss 0.01
Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of…
- CVE-2023-46132Nov 14, 2023risk 0.00cvss —epss 0.01
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a…
- CVE-2022-45196Nov 12, 2022risk 0.00cvss —epss 0.01
Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist.
- CVE-2022-36025Sep 24, 2022risk 0.00cvss —epss 0.01
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including…
- CVE-2022-31006Sep 9, 2022risk 0.00cvss —epss 0.01
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its…
- CVE-2022-31020Sep 6, 2022risk 0.00cvss —epss 0.02
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The…
- CVE-2022-36023Aug 18, 2022risk 0.00cvss —epss 0.01
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway…
- CVE-2022-31121Jul 7, 2022risk 0.00cvss —epss 0.02
Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and…
- CVE-2021-41272Dec 13, 2021risk 0.00cvss —epss 0.01
Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart…
- CVE-2021-21369Mar 9, 2021risk 0.00cvss —epss 0.01
Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API…
- CVE-2020-11093Dec 24, 2020risk 0.00cvss —epss 0.01
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized…
- CVE-2020-11090Jun 11, 2020risk 0.00cvss —epss 0.02
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential…