CVE-2023-7345

Description

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

ledgerhq/hw-app-eth < 6.34.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept for CVE-2023-7345
 * Demonstrating the odd-length hex parsing issue
 */

const vulnerableHex = "0x123"; // Odd length hex string
const correctHex = "0x0123";   // Even length hex string (padded)

// Simulating the vulnerable parsing behavior
function vulnerableParse(hex) {
    // Vulnerable library might fail to pad odd length strings
    // causing interpretation errors or truncation
    if (hex.length % 2 !== 0) {
        console.log("[VULNERABLE] Odd length detected, potential truncation or parsing error");
        // In the specific vulnerability, this leads to signing a different value than intended
        return parseInt(hex, 16); 
    }
    return parseInt(hex, 16);
}

console.log("Parsing vulnerable hex:", vulnerableParse(vulnerableHex));
console.log("Parsing correct hex:", vulnerableParse(correctHex));

// Attack scenario:
// Attacker sets 'value' field in EIP-712 data to '0xabc' (odd length).
// Ledger Live displays '0xabc' (2748) but signs '0x0abc' (2748) or interprets it differently
// depending on implementation, potentially allowing bypass of checks.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-7345
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-7345
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-7345/
[4] VulDB https://vuldb.com/cve/CVE-2023-7345
[5] https://donjon.ledger.com/lsb/020/
[6] https://www.vulncheck.com/advisories/ledger-live-hw-app-eth-eip-712-message-parsing-integer-truncation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-7345", "sourceIdentifier": "[email protected]", "published": "2026-05-19T22:16:35.180", "lastModified": "2026-05-20T14:16:35.753", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-704"}]}], "references": [{"url": "https://donjon.ledger.com/lsb/020/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ledger-live-hw-app-eth-eip-712-message-parsing-integer-truncation", "source": "[email protected]"}]}}