DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QR2G-P6Q7-W82M: GHSA-qr2g-p6q7-w82m: Critical Payment Verification Bypass in Coinbase x402 SDK (Solana)

#security #cve #cybersecurity #ghsa

GHSA-qr2g-p6q7-w82m: Critical Payment Verification Bypass in Coinbase x402 SDK (Solana)

Vulnerability ID: GHSA-QR2G-P6Q7-W82M
CVSS Score: 9.9
Published: 2026-03-07

A critical vulnerability exists in the Coinbase x402 SDK affecting the verification of Solana (SVM) payments. The flaw is located in the facilitator component, which acts as an intermediary for validating automated HTTP 402 payments. Due to improper verification of Ed25519 cryptographic signatures in the Solana implementation, an attacker can bypass payment requirements. This allows unauthorized access to monetized APIs, compute resources, or digital goods without settling the required transaction on the blockchain. The vulnerability specifically affects the @x402/svm npm package, the x402 PyPI package, and the Go SDK.

TL;DR

The Coinbase x402 SDK contains a critical flaw in its Solana payment verification logic. Attackers can spoof payment signatures to bypass fees for APIs and services using the protocol. This affects versions prior to 2.6.0 (npm), 2.3.0 (Python), and 2.5.0 (Go). Immediate upgrade is required for all facilitators.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-347
  • CVSS Score: 9.9 (Critical)
  • Attack Vector: Network
  • Exploit Status: PoC Available
  • Affected Protocol: Solana (SVM)
  • Patch Date: 2026-03-07

Affected Systems

  • Node.js applications using @x402/svm
  • Python applications using x402
  • Go applications using github.com/coinbase/x402/go
  • @x402/svm: < 2.6.0 (Fixed in: 2.6.0)
  • x402 (PyPI): < 2.3.0 (Fixed in: 2.3.0)
  • github.com/coinbase/x402/go: < 2.5.0 (Fixed in: 2.5.0)

Mitigation Strategies

  • Upgrade all x402 SDK components to the latest patched versions immediately.
  • Review access logs for suspicious activity, specifically repeated signatures or high-volume requests from single IPs without corresponding on-chain volume.
  • If immediate patching is not possible, temporarily disable Solana (SVM) payment support and fallback to EVM-only payments.

Remediation Steps:

  1. Identify all services acting as x402 facilitators.
  2. For Node.js/TypeScript projects: Run npm install @x402/svm@latest to reach version 2.6.0 or higher.
  3. For Python projects: Run pip install x402 --upgrade to reach version 2.3.0 or higher.
  4. For Go projects: Update go.mod to require github.com/coinbase/x402/go version 2.5.0 or higher.
  5. Restart all facilitator services to load the new logic.

References

Read the full report for GHSA-QR2G-P6Q7-W82M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)