CVE-2025-27611: 
JavaScript vulnerability analysis and mitigation

base-x, a base encoder and decoder library that uses bitcoin-style leading zero compression, was found to contain a critical vulnerability (CVE-2025-27611) affecting versions 4.0.0, 5.0.0, and all versions prior to 3.0.11. The vulnerability was disclosed on April 30, 2025, and allows attackers to potentially deceive users into sending funds to unintended addresses through a homograph attack that enables Unicode lookalike characters to bypass validation (Wiz Database, NVD).

The vulnerability stems from inconsistent handling of character codes in the library. While character codes greater than 255 are prohibited when constructing an alphabet (throwing a TypeError), they are incorrectly accepted during string decoding operations. This inconsistency allows attackers to use Unicode characters with codes above 255, potentially creating addresses that appear legitimate but direct funds to different destinations. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub PR, Wiz Database).

The primary impact of this vulnerability is financial in nature. By exploiting the homograph attack vulnerability, malicious actors can create addresses that visually appear identical to legitimate ones but actually direct funds to different destinations, potentially leading to unauthorized fund transfers (GitHub Advisory).

The vulnerability has been patched in versions 3.0.11, 4.0.1, and 5.0.1. Users are strongly advised to upgrade to these patched versions to prevent potential exploitation. The fix involves properly validating character codes during both encoding and decoding operations (GitHub Advisory).