CVE-2023-7345

EUVD-2023-60576

19.05.2026, 22:16

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-704 - Incorrect Type Conversion or Cast
The software does not correctly convert an object, resource, or structure from one type to a different type.

References

https://donjon.ledger.com/lsb/020/

https://www.vulncheck.com/advisories/ledger-live-hw-app-eth-eip-712-message-parsing-integer-truncation