CVE-2020-5232: Malicious takeover of previously owned ENS names
8.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.68503%
CWE
Published
1/30/2020
Updated
1/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@ensdomains/ens | npm | < 0.4.0 | 0.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper authorization in ownership transfer functions. The core issue was in setSubnodeOwner()
which allowed parent node owners to retain control over subnodes after transferring them, as they could call this function
again to reset ownership. The setOwner()
function similarly lacked mechanisms to prevent previous owners from reclaiming control. The commit diff shows these functions were modified in the patched version (adding return values and authorization checks), and the CWE-285 classification confirms improper authorization was the root cause.