Description
When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period.
Recommendation
Update the @digitalbazaar/zcap package to the latest compatible version. Followings are version details:
- Affected version(s): < 9.0.1
- Patched version(s): 9.0.1
References
Related Issues
- jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
- JS Html Sanitizer allows XSS when used with contentEditable - CVE-2025-29771
- Potential XSS vulnerability in jQuery (GHSA-gxr4-xjj5-5px2) - CVE-2020-11022
- Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags - CVE-2021-33295
- Tags:
- npm
- @digitalbazaar/zcap
Anything's wrong? Let us know Last updated on April 21, 2024