CVE-2023-7345
Integer Parsing Flaw in Ledger Live EIP-712 Messages
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ledgerhq | hw-app-eth | to 6.34.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7. It is an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages. The issue arises from incorrect parsing of hexadecimal fields when the values contain an odd number of characters.
Attackers can exploit this flaw to obtain signatures on truncated or misinterpreted message values, which can then be used to authorize unintended blockchain transactions, such as transferring assets in incorrect amounts.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate blockchain transactions that you authorize. Specifically, attackers can cause you to sign messages that are truncated or misinterpreted, leading to unintended transactions such as asset transfers with incorrect amounts.
As a result, you may lose assets or have unauthorized transactions executed on your behalf without your full consent or knowledge.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Ledger Live to version 2.70.0 or later and ensure the ledgerhq/hw-app-eth library is updated to version 6.34.7 or later.
These updates address the integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages.