GHSA-vg44-fw64-cpjx: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-vg44-fw64-cpjx) affects the eth-ledger-bridge-keyring package, an implementation of MetaMask's Keyring interface that uses a Ledger hardware wallet for cryptographic operations. The issue was discovered and disclosed on March 4, 2020, affecting versions <0.2.1 of eth-ledger-bridge-keyring and <0.2.2 of @metamask/eth-ledger-bridge-keyring. The vulnerability involves incorrect account usage for signing transactions and messages (GitHub Advisory).

The vulnerability stems from a serialization/deserialization process flaw where the keyring state fails to restore the correct account index for signing operations. After serializing and deserializing the keyring state, the system defaults to using the account at index 0 for signing, regardless of the actual current account. The issue has been assigned a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (Snyk).

The vulnerability affects users signing with a BIP44 account other than the first account. Users signing with the first account (index 0) or using the legacy MEW/MyCrypto HD path are not affected. The issue manifests when users sign personal messages or transactions without first adding the account, including scenarios where the account was added in a previous session but the application was reset. This could lead to transactions being signed with the wrong account, potentially causing unintended transfers or message signatures (GitHub Advisory).

The vulnerability has been patched in version 0.2.1 of eth-ledger-bridge-keyring and version 0.2.2 of @metamask/eth-ledger-bridge-keyring. Users are encouraged to upgrade to these versions or higher. For those unable to update immediately, a workaround involves removing and re-adding the account before use, ensuring the account is added during the current process lifetime (GitHub Advisory).