Hyperledger Aries Cloud Agent Python (ACA-Py) Users Beware of Verification Flaw

CVECVE-2024-21669
CVSScvssV3_1: 9.9
SourceCVE-2024-21669

ACA-Py, an open-source tool for building decentralized identity applications, had a vulnerability in how it verified credentials presented by users. When verifying credentials formatted according to the W3C Verifiable Credentials standard with Linked Data Proofs, the result of the proof verification was not checked properly.

This meant that credentials with invalid proofs could still be marked as verified. A malicious user could take advantage of this to present credentials they did not actually have access to. They could also record valid presentations from other users and replay them as their own.

The vulnerability was present from version 0.7.0 up to the recently fixed 0.10.5 release. If you use ACA-Py to build identity apps, it’s important to update to the latest version as soon as possible to protect against this verification flaw. Always verify the proof results are checked correctly to ensure only valid credential holders can prove their claims.

This issue serves as a reminder for developers to carefully audit credential verification processes. Centralized identity systems have single points of failure, so decentralized alternatives like ACA-Py must have robust security. Staying on top of updates helps keep user data and systems secure against exploitation of flaws.

References