| 제목 | Chia Network Chia Blockchain Chia Blockchain 2.1.0 (confirmed vulnerable) Later versions (2.2.0 - 2.5.6) presumed vulnerable - no fix released Authentication Bypass/CSRF/Cryptographic Issue |
|---|
| 설명 | The Chia RPC server (rpc_server_base.py) contains multiple critical vulnerabilities:
1. Authentication Bypass: If no RPC credentials are set (default), _authenticate() returns True for all requests.
2. CSRF: No CORS headers or origin validation. A malicious website can send POST requests to localhost:9256/8555. The browser blocks reading the response, but the wallet executes the command.
3. Master Passphrase Bypass: The RPC server ignores the wallet's locked state. Any local process with access to the mTLS certificates can call /send_transaction and /get_private_key without the passphrase, returning the 24-word seed in plain text.
Impact:
- Remote theft of funds via CSRF + DNS Rebinding
- Local malware can drain wallets and exfiltrate seeds without passphrase
- Complete account takeover
Reported to Chia Network via HackerOne (#3524400). Vendor closed as "Informative" with the note: "This is by design. The user is responsible for host security."
No CVE assigned. Full documentation and PoC videos available. |
|---|
| 원천 | ⚠️ https://github.com/Danimlzg/chia-rpc-auth-bypass.git |
|---|
| 사용자 | DeSneake (UID 95539) |
|---|
| 제출 | 2026. 02. 12. PM 02:13 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 25. AM 10:35 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 347750 [Chia Blockchain 2.1.0 RPC Server Master Passphrase send_transaction/get_private_key 약한 인증] |
|---|
| 포인트들 | 20 |
|---|