CVE-2026-40069.yml

---
gem: bsv-sdk
cve: 2026-40069
ghsa: 9hfr-gw99-8rhx
url: https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx
title: bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN
  responses as successful broadcasts
date: 2026-04-09
description: |
  # ARC broadcaster treats failure statuses as successful broadcasts

  ## Summary

  `BSV::Network::ARC`'s failure detection only recognises `REJECTED`
  and `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values
  of `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any
  `ORPHAN`-containing `extraInfo` / `txStatus` are silently treated
  as successful broadcasts. Applications that gate actions on broadcaster
  success are tricked into trusting transactions that were never
  accepted by the network.

  ## Details

  `lib/bsv/network/arc.rb` (lines ~74-100 in the affected code) uses a
  narrow failure predicate compared to the TypeScript reference SDK.
  The TS broadcaster additionally recognises:

  - `INVALID`
  - `MALFORMED`
  - `MINED_IN_STALE_BLOCK`
  - Any response containing `ORPHAN` in `extraInfo` or `txStatus`

  The Ruby implementation omits all of these, so ARC responses
  carrying any of these statuses are returned to the caller as
  successful broadcasts.

  Additional divergences in the same module compound the risk:

  - `Content-Type` is sent as `application/octet-stream`; the TS
    reference sends `application/json` with a `{ rawTx: <hex> }`
    body (EF form where source transactions are available).
  - The headers `XDeployment-ID`, `X-CallbackUrl`, and `X-CallbackToken`
    are not sent.

  The immediate security-relevant defect is the missing failure
  statuses; the other divergences are fixed in the same patch for
  protocol compliance.

  ## Impact

  Integrity: callers receive a success response for broadcasts that
  were actually rejected by the ARC endpoint. Applications and
  downstream gems that gate actions on broadcaster success — releasing
  goods, marking invoices paid, treating a token as minted, progressing
  a workflow — are tricked into trusting transactions that were never broadcast.

  This is an integrity bug with security consequences. It does not
  disclose information (confidentiality unaffected) and does not
  affect availability.

  ## CVSS rationale

  `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` → **7.5 (High)**

  - **AV:N** — network-reachable.
  - **AC:L** — no specialised access conditions are required. Triggering
    any of the unhandled failure statuses is not meaningfully harder
    than broadcasting a transaction at all: a malformed or invalid
    transaction, an orphan condition from a transient fork, or a
    hostile/misbehaving ARC endpoint returning one of these statuses
    is sufficient. The attacker does not need to defeat any mitigation
    or race a specific window — the bug is that the code path doesn't
    exist at all.
  - **PR:N** — no privileges required.
  - **UI:N** — no user interaction.
  - **C:N** — no confidentiality impact.
  - **I:H** — downstream integrity decisions are taken on
    non-broadcast transactions.
  - **A:N** — no availability impact.

  ## Affected versions

  The ARC broadcaster was introduced in commit `a1f2e62` ("feat(network):
  add ARC broadcaster with injectable HTTP client") on 2026-02-08 and
  first released in **v0.1.0**. The narrow failure predicate has been
  present since introduction. Every release up to and including **v0.8.1**
  is affected.

  Affected range: `>= 0.1.0, < 0.8.2`.

  ## Patches

  Upgrade to `bsv-sdk >= 0.8.2`. The fix:

  - Expands the failure predicate (`REJECTED_STATUSES` + `ORPHAN`
    substring check on both `txStatus` and `extraInfo`) to include
    `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, and any
    orphan-containing response, matching the TypeScript reference.
  - Switches `Content-Type` to `application/json` with a `{ rawTx: <hex> }`
    body, preferring Extended Format (BRC-30) hex when every input has
    `source_satoshis` and `source_locking_script` populated and falling
    back to plain raw-tx hex otherwise.
  - Adds support for the `XDeployment-ID` (default: random
    `bsv-ruby-sdk-<hex>`), `X-CallbackUrl`, and `X-CallbackToken`
    headers via new constructor keyword arguments.

  Fixed in sgbett/bsv-ruby-sdk#306.

  ### Note for `bsv-wallet` consumers

  The sibling gem `bsv-wallet` (published from the same repository) is
  not independently vulnerable — `lib/bsv/network/arc.rb` is not bundled
  into the wallet gem's `files` list. However, `bsv-wallet` runtime-depends
  on `bsv-sdk`, so a consumer of `bsv-wallet` that also invokes the
  ARC broadcaster is transitively exposed whenever `Gemfile.lock`
  resolves to a vulnerable `bsv-sdk` version. `bsv-wallet >= 0.3.4`
  tightens its `bsv-sdk` constraint to `>= 0.8.2, < 1.0`, so upgrading
  either gem is sufficient to pull in the fix.

  ## Workarounds

  If upgrading is not immediately possible:

  - Verify broadcast results out-of-band (e.g. query a block explorer
    or WhatsOnChain) before treating a transaction as broadcast.
  - Do not gate integrity-critical actions solely on the ARC
    broadcaster's success response.

  ## Credit

  Identified during the 2026-04-08 cross-SDK compliance review,
  tracked as finding F5.13.
cvss_v3: 7.5
unaffected_versions:
  - "< 0.1.0"
patched_versions:
  - ">= 0.8.2"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-40069
    - https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2
    - https://github.com/sgbett/bsv-ruby-sdk/pull/306
    - https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc
    - https://github.com/sgbett/bsv-ruby-sdk/issues/305
    - https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx
    - https://advisories.gitlab.com/pkg/gem/bsv-sdk/CVE-2026-40069
    - https://github.com/advisories/GHSA-9hfr-gw99-8rhx