MetaMask SDK indirectly exposed via malicious [email protected] dependency
- Severity:
- Medium
Description
This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application:
- Installed MetaMask SDK into a project with a lockfile for the first time
- Installed MetaMask SDK in a project without a lockfile
- Updated a lo
Recommendation
Update the @metamask/sdk-communication-layer package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.16.0, <= 0.33.0
- Patched version(s): 0.33.1
References
Related Issues
- Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections - Vulnerability
- a12nserver vulnerable to potential SQL Injections via Knex dependency - Vulnerability
- Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor - CVE-2026-43943
- Sentry SDK Prototype Pollution gadget in JavaScript SDKs - Vulnerability
You might also like:
- Tags:
- npm
- @metamask/sdk-communication-layer
Anything's wrong? Let us know Last updated on September 15, 2025