CVE-2024-31995

Summary

CVE-2024-31995 affects the `@digitalbazaar/zcap` library before version 9.0.1, which provides JavaScript implementation for Authorization Capabilities. This vulnerability allows invocations outside of the original intended time period when a capability is delegated directly from the root capability with a chain depth of 2. The `expires` property is not adequately checked against the current date or other `date` parameters. However, it's important to note that the zcap cannot be invoked without the associated private key material. The issue is resolved in version 9.0.1, which includes expiration checking fixes. A temporary workaround is to revoke the zcap at any time.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.