GHSA-3j63-5h8p-gf7c
coinbase/x402
Claude Codex402 SDK vulnerable in outdated versions in resource servers for builders
How AI Introduced This
Yes. The AI-assisted commit fe42994900a445155be7a697de060c5a34f36a2d created the SIWX settle hook and directly wrote the unsafe assumption that `paymentPayload.resource` is always present, then dereferenced `ctx.paymentPayload.resource.url` without a guard. That is the exact behavior fixed in 1ab1c86f016161f27593bf17c9a2333c2201ab10.
▶Attribution Chain
▶Bug-Introducing Commits(1)
refactor(extensions/siwx): Migrate to supportedChains[] architecture
Extracted from squash merge fe42994
▶42 other sub-commits in this PR
feat(extensions): add Sign-In-With-X (SIWX) extension
simplify; remove future looking code
add integration test
address own comments
update readme, rm TODO.md
add SIWS
cleanup
further cleanup
split code path btwn evm and solana
mv solana constants
fmt
lint
rm .claude
smart wallet verifier
add domain param; support outside EVM verifier for contract wallets; Solana CAIP-2 compliant; rm clockskew slop
fix missing type field; update lock file
Add Sign-In-With-X extension spec
server & client siwx examples
feat(extensions/siwx): Add lifecycle hooks for simplified DevX
fix(extensions/siwx): Improve hooks robustness and add tests
fix(extensions/siwx): Only record payment if settlement succeeded
style: Fix JSDoc and lint errors
style: Fix formatting and JSDoc in examples
fix(examples): Add getChainId() to signer for proper SIWX chain matching
refactor(extensions/siwx): Extract duplicated getSignerChainId helper
feat(examples/siwx): Add payment header logging to client
fix(examples/siwx): Improve payment flow logging
fix(examples/siwx): Add 300ms delay to avoid facilitator race condition
refactor(extensions/siwx): Use payment network instead of signer chain detection
refactor(extensions/siwx): Auto-derive network/domain/uri from context
refactor(extensions/siwx): Remove time-based fields from declareSIWxExtension
docs(extensions/siwx): Add smart wallet docs, align signature schemes
fix(examples/siwx): Add missing JSDoc to onEvent function
fix(extensions/siwx): Use result.payer instead of extracting from payload
feat(extensions/siwx): Add optional nonce tracking to prevent replay attacks
chore: Add changeset for SIWX extension
fix(examples/siwx): Add missing JSDoc params for onEvent function
Merge pull request #8 from sragss/siwx-solana-fix
fix(extensions/siwx): Require both nonce methods or neither
Deep Verification
by GPT-5.4The fix changes `createSIWxSettleHook` from `paymentPayload: { payload: unknown; resource: { url: string } }` to `resource?: { url: string }` and adds an early return before using `ctx.paymentPayload.resource.url`. Blame on the pre-fix file attributes those exact lines to fe429949, and pickaxe searches for both `ctx.paymentPayload.resource.url` and `createSIWxSettleHook` show that fe429949 first introduced this code. The screening hypothesis is only partially right: this commit did introduce the optional-resource bug, but there is no evidence in the fix or pickaxe results that missing protocol-version validation is part of this CVE.
▶AI Signals(1)
| Claude Code | Co-author trailer | Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> | 95% |