Skip to content

DX-1549-Resolved-BigInt-Buffer-Vulnerability #7066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 30, 2025
Merged

DX-1549-Resolved-BigInt-Buffer-Vulnerability #7066

merged 5 commits into from
Sep 30, 2025

Conversation

@tanjeemh
Copy link
Contributor

@tanjeemh tanjeemh commented Sep 23, 2025
edited
Loading

Mitigate GHSA-3gc7-fjrx-p6mg (high-severity buffer overflow in bigint-buffer@<=1.1.5) impacting Solana paths in BitGoJS.

What Changed:

  • Replaced transitive bigint-buffer with @trufflesuite/bigint-buffer@1.1.10 via alias, ensuring all Solana dependencies resolve to the safe implementation.
  • Ensured Solana deps resolve through versions that pick up the alias (e.g., @solana/web3.js@1.95.8, @solana/spl-token@0.3.1 -> @solana/buffer-layout-utils@0.2.0).
  • Added a lightweight runtime guard for BigInt<->Buffer conversions in @bitgo/sdk-coin-sol (bigint-buffer-guard.ts) to validate input lengths and reduce misuse risk. It's purpose is to enforce input type/length checks around BigInt buffer operations; imported it so validations run at module load
  • Removed any audit suppression related to this advisory so future scans surface regressions.

Motivation / Context:
bigint-buffer@<=1.1.5 has a buffer overflow in toBigIntLE(); the original package appears unmaintained. We migrate to a maintained alternative and add validation to protect Solana flows.

Dependencies:
Alias: bigint-buffer@npm:@trufflesuite/bigint-buffer@1.1.10
Solana libs as above; no code changes required outside the guard and dependency updates.

Type of Change:

  • Bug fix (non-breaking change which fixes a security issue)

How Has This Been Tested?
Refer to comment in JIRA Ticket: DX-1549, for all test results.

Ticket: DX-1549

@tanjeemh tanjeemh requested review from a team as code owners September 23, 2025 23:48
zahin-mohammad
zahin-mohammad previously approved these changes Sep 24, 2025
View reviewed changes
mukeshsp
mukeshsp previously approved these changes Sep 26, 2025
View reviewed changes
@tanjeemh tanjeemh dismissed stale reviews from mukeshsp and zahin-mohammad via 1814a3b September 29, 2025 18:03
@tanjeemh tanjeemh force-pushed the DX-1549-bigint-buffer-advisory branch from 1814a3b to 4f762b2 Compare September 29, 2025 18:51
@tanjeemh tanjeemh merged commit 052be0b into master Sep 30, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mukeshsp mukeshsp mukeshsp approved these changes

@zahin-mohammad zahin-mohammad zahin-mohammad approved these changes

@rahulhegde-bitgo rahulhegde-bitgo Awaiting requested review from rahulhegde-bitgo rahulhegde-bitgo was automatically assigned from BitGo/wallet-platform

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tanjeemh @mukeshsp @zahin-mohammad