Description
Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems.
Version 2.14.
Recommendation
Update the xrpl package to the latest compatible version. Followings are version details:
Affected version(s): **= 2.14.2 >= 4.2.1, < 4.2.5** Patched version(s): **2.14.3 4.2.5**
References
Related Issues
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) - CVE-2025-4643
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Tags:
- npm
- xrpl
Anything's wrong? Let us know Last updated on April 22, 2025