Publish GHSA-qr2g-p6q7-w82m

advisory-database[bot] · advisory-database[bot] · commit 2c97e2ddeba8 · 2026-03-07T02:39:05.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-qr2g-p6q7-w82m/GHSA-qr2g-p6q7-w82m.json b/advisories/github-reviewed/2026/03/GHSA-qr2g-p6q7-w82m/GHSA-qr2g-p6q7-w82m.json
@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qr2g-p6q7-w82m",
+  "modified": "2026-03-07T02:37:47Z",
+  "published": "2026-03-07T02:37:47Z",
+  "aliases": [],
+  "summary": "x402 SDK Security Advisory",
+  "details": "### Impact\n\nA security vulnerability exists in outdated versions of the x402 SDK.\n\nThis vulnerability does not affect users' private keys, smart contracts, or funds.\n\nThe issue impacts resource servers accepting payments on Solana when the facilitator is running a vulnerable version of the x402 SDK.\n\n### Who Should Take Action\n\nFacilitators that process payments on Solana must upgrade the x402 SDK to the patched versions listed below.\n\nClients are not required to upgrade.\n\nResource servers are not required to upgrade unless they operate their own facilitator (self-facilitate).\n\n### Patches\n\nPlease update to the following package versions:\n* Npm: @x402/svm >= 2.6.0\n* Pypi: x402 >= 2.3.0\n* Go: x402 >= 2.5.0",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@x402/svm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.6.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "x402"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/coinbase/x402/go"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/coinbase/x402/security/advisories/GHSA-qr2g-p6q7-w82m"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/coinbase/x402"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-07T02:37:47Z",
+    "nvd_published_at": null
+  }
+}
