GHSA-8r76-fr72-j32w: 
Rust vulnerability analysis and mitigation

A high severity vulnerability was discovered in the mpl-bubblegum Rust package affecting versions below 0.6.0 and mpl-token-metadata Rust package versions 1.5.0 to 1.6.3. The vulnerability was identified by metamania01 from Solshield Audit Company and disclosed on December 10, 2022. The issue allowed unauthorized creator verification by exploiting a provision in Token Metadata that enables creators who have signed compressed NFTs to decompress them with verified creators (GitHub Advisory).

The vulnerability (GHSA-8r76-fr72-j32w) was related to creator verification in the Bubblegum Activate process. The issue stemmed from a verification bypass in the Token Metadata system that incorrectly handled creator signatures during the decompression of NFTs. The vulnerability was patched in version 0.6.0 of mpl-bubblegum and version 1.6.3 of mpl-token-metadata (GitHub Advisory).

The vulnerability allowed attackers to verify creators who had not actually signed the NFTs, potentially compromising the authenticity and integrity of creator verification in the NFT ecosystem (GitHub Advisory).

The issue has been patched in mpl-bubblegum version 0.6.0 and mpl-token-metadata version 1.6.3. Users are advised to upgrade to these or later versions to protect against this vulnerability (GitHub Advisory).