CVE-2024-21669 CRITICAL

CVE-2024-21669: Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC

Vendor Hyperledger

Product aries-cloudagent-python

Weakness CWE-347

Published January 11, 2024

Last update June 3, 2025

View on NVD All CVEs

CVSS base score

9.9/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

Description

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.

Key dates

Disclosure timeline

January 11, 2024 CVE published

June 3, 2025 Record updated

Identifiers

CVE CVE-2024-21669

CWE CWE-347

CVSS 9.9 / CRITICAL

Affected versions

Vendor Hyperledger

Product aries-cloudagent-python

Affected >= 0.7.0, < 0.10.5

Vendor Hyperledger

Product aries-cloudagent-python

Affected >= 0.11.0rc1, < 0.11.0