CVE-2023-50475: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in bcoin-org bcoin version 2.2.0 that allows remote attackers to obtain sensitive information through weak hashing algorithms (MD5 and SHA1) in the component vendor/faye-websocket.js. The vulnerability was assigned CVE-2023-50475 and was disclosed on December 21, 2023. The issue affects the WebSocket communication implementation in the bcoin cryptocurrency library (GitHub Issue, Advisory).

The vulnerability stems from the use of cryptographically weak hashing algorithms (MD5 and SHA1) during client initialization in the WebSocket implementation. The affected code is located in vendor/faye-websocket.js, specifically at lines 1462 and 2919. The implementation uses MD5 for handshake signatures and SHA1 for generating accept tokens, both of which are considered cryptographically weak and vulnerable to collision and preimage attacks. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The use of weak cryptographic algorithms (MD5 and SHA1) can potentially allow malicious actors to compromise the integrity and confidentiality of the WebSocket communication. This could lead to information disclosure and potentially affect the security of cryptocurrency transactions or sensitive data transmitted through the affected components (Advisory).

It is recommended to update the implementation to use more secure hashing algorithms such as SHA-256 or stronger alternatives. The weak hashing algorithms (MD5 and SHA1) should be replaced in both the handshake signature generation and accept token creation processes (Advisory).