Skip to content

x402 SDK vulnerable in outdated versions in resource servers for builders

High severity GitHub Reviewed Published Aug 20, 2025 in coinbase/x402 • Updated Aug 20, 2025

Package

npm x402 (npm)

Affected versions

< 0.5.2

Patched versions

0.5.2
npm x402-express (npm)
< 0.5.2
0.5.2
npm x402-hono (npm)
< 0.5.2
0.5.2
npm x402-next (npm)
< 0.5.2
0.5.2

Description

Impact

There is a security vulnerability in outdated versions of the x402 SDK. This does not directly affect users' keys, smart contracts, or funds.

This primarily impacts builders working on resource servers.

Patches

Please update to the following package versions:

  • x402 >= 0.5.2
  • x402-next >= 0.5.2
  • x402-express >= 0.5.2
  • x402-hono >= 0.5.2

References

@apmcdermott-cb apmcdermott-cb published to coinbase/x402 Aug 20, 2025
Published to the GitHub Advisory Database Aug 20, 2025
Reviewed Aug 20, 2025
Last updated Aug 20, 2025

Severity

High

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-3j63-5h8p-gf7c

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.