{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46834", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-30T19:41:58.135Z", "datePublished": "2025-05-15T19:37:07.090Z", "dateUpdated": "2025-05-19T14:42:13.688Z"}, "containers": {"cna": {"title": "Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv"}, {"name": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0", "tags": ["x_refsource_MISC"], "url": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0"}], "affected": [{"vendor": "alchemyplatform", "product": "modular-account", "versions": [{"version": "= 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-15T19:37:07.090Z"}, "descriptions": [{"lang": "en", "value": "Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue."}], "source": {"advisory": "GHSA-jhp7-7cq9-m4pv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-19T14:41:50.807784Z", "id": "CVE-2025-46834", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T14:42:13.688Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46834", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-19T14:41:50.807784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T14:42:04.373Z"}}], "cna": {"title": "Alchemy's Modular Account can use executeUserOp to bypass allowlist prevalidation hook", "source": {"advisory": "GHSA-jhp7-7cq9-m4pv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "alchemyplatform", "product": "modular-account", "versions": [{"status": "affected", "version": "= 2.0.0"}]}], "references": [{"url": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv", "name": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0", "name": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-15T19:37:07.090Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46834", "state": "PUBLISHED", "dateUpdated": "2025-05-19T14:42:13.688Z", "dateReserved": "2025-04-30T19:41:58.135Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-15T19:37:07.090Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue."}, {"lang": "es", "value": "Modular Account de Alchemy es una cuenta de contrato inteligente compatible con ERC-4337 y ERC-6900. En versiones de la rama 2.x anteriores a el commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, los propietarios de Cuentas Modulares pueden otorgar claves de sesi\u00f3n (claves externas con alcance) a terceros y usar el m\u00f3dulo de lista de permitidos para restringir los contratos externos a los que puede acceder la clave de sesi\u00f3n. Existe un error en el m\u00f3dulo de lista de permitidos: no se verifica la ruta `executeUserOp` -> `execute` o `executeBatch`, lo que permite que cualquier clave de sesi\u00f3n eluda las restricciones de control de acceso establecidas en la clave de sesi\u00f3n. Las claves de sesi\u00f3n pueden acceder a contratos de tokens ERC20 y ERC721, entre otros, transfiriendo todos los tokens de la cuenta y configurando los permisos de los m\u00f3dulos externos en las claves de sesi\u00f3n. De esta manera, podr\u00edan eliminar todas las restricciones impuestas o rotar las claves de otras claves con mayores privilegios a claves que controlen. El commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 corrige este problema."}], "id": "CVE-2025-46834", "lastModified": "2025-05-16T14:42:18.700", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-05-15T20:16:08.460", "references": [{"source": "[email protected]", "url": "https://github.com/alchemyplatform/modular-account/commit/5e6f540d249afcaeaf76ab95517d0359fde883b0"}, {"source": "[email protected]", "url": "https://github.com/alchemyplatform/modular-account/security/advisories/GHSA-jhp7-7cq9-m4pv"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}

{}