{"id":"CVE-2023-46132","summary":"Crosslinking transaction attack in hyperledger/fabric","details":"Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called \"cross-linking\" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a \"cross-linked block\" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["BIT-hyperledger-fabric-orderer-2023-46132","BIT-hyperledger-fabric-peer-2023-46132","BIT-hyperledger-fabric-tools-2023-46132","GHSA-v9w2-543f-h69m"],"modified":"2026-03-14T12:21:33.791093Z","published":"2023-11-14T20:23:15.643Z","database_specific":{"cwe_ids":["CWE-362"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/46xxx/CVE-2023-46132.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/46xxx/CVE-2023-46132.json"},{"type":"ADVISORY","url":"https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46132"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hyperledger/fabric","events":[{"introduced":"e4b47043270f2293daabf7d24984dd46901e04e7"},{"fixed":"994b1e2d1fc57eecd9b3358e6fd6d0280f6ab751"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"2.2.14"}]}},{"type":"GIT","repo":"https://github.com/hyperledger/fabric","events":[{"introduced":"ec81f3e74fa127fc504b1c2249b19ec421ea2a1d"},{"fixed":"4072367fc4dd8552cbd61c5cb418568aa086cbca"}],"database_specific":{"versions":[{"introduced":"2.3.0"},{"fixed":"2.5.5"}]}}],"versions":["v1.0.0","v1.1.0-alpha","v1.1.0-preview","v1.1.0-rc1","v1.2.0-rc1","v1.3.0-rc1","v1.4.0-rc1","v2.0.0-alpha","v2.0.0-beta","v2.2.0","v2.2.1","v2.2.10","v2.2.11","v2.2.12","v2.2.13","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-46132.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"}]}