GHSA-56r6-ccm5-8hg3: 
JavaScript vulnerability analysis and mitigation

A high-severity security vulnerability (GHSA-56r6-ccm5-8hg3) was identified in the @account-kit/smart-contracts npm package, affecting versions 4.42.0 through 4.51.0, and Modular Account versions up to v2.0.0. The vulnerability was discovered and disclosed in July 2025, impacting old account deployment functions from the factory (GitHub Advisory).

The vulnerability is related to improper authentication (CWE-287) in the account deployment functions of the factory. It has received a CVSS v4.0 score of 8.0 (High), with the following metrics: Network attack vector, Low attack complexity, No attack requirements, No privileges required, and No user interaction needed. The vulnerability potentially impacts both confidentiality and integrity of the vulnerable system (GitHub Advisory).

While smart wallets in use on all existing supported networks are not impacted, the vulnerability could potentially compromise the confidentiality and integrity of affected systems. The high CVSS score indicates significant potential impact if exploited (GitHub Advisory).

The vulnerability has been patched in version 4.52.0 of @account-kit/smart-contracts and version 2.0.1 of Modular Account. Users are advised to direct the creation of new wallets to either createSemiModularAccount on AccountFactory.sol or createWebAuthnAccount on WebAuthnFactory.sol (GitHub Advisory).