GHSA-p94w-42g3-f7h4: 
JavaScript vulnerability analysis and mitigation

A high severity vulnerability was identified in the vp-toolkit npm package (GHSA-p94w-42g3-f7h4), affecting versions below 0.2.2. The vulnerability was discovered and published to the GitHub Advisory Database on March 6, 2020, with the latest update on January 9, 2023. The issue affects the verifier component of the vp-toolkit package (GitHub Advisory).

The vulnerability exists in the verifyVerifiableCredential() method, which while checking the cryptographic integrity of the Verifiable Credential, fails to verify if the credential.issuer DID matches the signer of the credential. This oversight in the verification process creates a security gap in the credential verification system (GitHub Advisory).

The vulnerability allows holders to potentially (re)create authentic credentials after receiving a credential, compromising the integrity of the verification system. This affects the verifier's ability to trust the authenticity of credentials processed through the toolkit (GitHub Advisory).

A patch has been released in version 0.2.2 of the vp-toolkit. As a workaround, for verifiers who trust certain issuers for specific credentials, it is recommended to trust the issuer's public key from the credential.proof.verificationMethod field (GitHub Advisory).