CVE-2022-35917: 
JavaScript vulnerability analysis and mitigation

Solana Pay, a protocol and set of reference implementations for decentralized payments in apps and services, was found to contain a vulnerability (CVE-2022-35917) in versions prior to 0.2.1. When using the validateTransfer function to verify a transaction with a reference key, an edge case could cause the validation logic to validate multiple transfers (GitHub Advisory).

The vulnerability exists in the transfer validation mechanism of Solana Pay. When a Solana Pay transaction is located using a reference key and checked to represent a transfer using the supplied validateTransfer function, an edge case in the implementation could lead to validation of multiple transfers instead of a single intended transfer. The issue was assigned a CVSS v3.1 Base Score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

While the impact was considered moderate, the risk was mitigated by the fact that most known Solana Pay point of sale applications were running on physical point of sale devices, making the issue unlikely to occur. However, web-based point of sale applications using the protocol were potentially more vulnerable to exploitation (GitHub Advisory).

The vulnerability has been patched in version 0.2.1 of Solana Pay. Users of the Solana Pay SDK should upgrade to this version or later. There are no known workarounds for this issue (GitHub Advisory).