MetaMask SDK indirectly exposed via malicious [email protected] dependency
- Severity:
- Medium
Description
This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application:
- Installed MetaMask SDK into a project with a lockfile for the first time
- Installed MetaMask SDK in a project without a lockfile
- Updated a lo
Recommendation
Update the @metamask/sdk-communication-layer package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.16.0, <= 0.33.0
- Patched version(s): 0.33.1
References
Related Issues
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) - CVE-2025-4643
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 - CVE-2025-32965
- Tags:
- npm
- @metamask/sdk-communication-layer
Anything's wrong? Let us know Last updated on September 15, 2025