WS-2020-0048
Published:May 14, 2026
Updated:May 14, 2026
Impact The ""verifyVerifiableCredential()"" (https://github.com/rabobank-blockchain/vp-toolkit/blob/master/src/service/signers/verifiable-credential-signer.ts#L57) method check the cryptographic integrity of the Verifiable Credential, but it does not check if the ""credential.issuer"" (https://github.com/rabobank-blockchain/vp-toolkit-models/blob/develop/src/model/verifiable-credential.ts#L129) DID matches the signer of the credential. The verifier is impacted by this vulnerability. Patches Patch will be available in version 0.2.2. Workarounds In case you trust certain issuers for certain credentials as a verifier, trust the issuer's public key from the "credential.proof.verificationMethod" field. References "Github issue" (https://github.com/rabobank-blockchain/vp-toolkit/issues/13) For more information If you have any questions or comments about this advisory: * Discuss in the existing "issue" (https://github.com/rabobank-blockchain/vp-toolkit/issues/13) * "Contact me" (https://github.com/rabomarnix)
Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE