8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34694

GHSA ID

GHSA-3j4h-h3fp-vwww

EPSS Score

0.20423%

CWE

CWE-754

Published

6/17/2024

Updated

6/17/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34694

CVE-2024-34694: LNbits improperly handles potential network and payment failures when using Eclair backend

Summary

Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight.

Details

Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s timeout with the error: Ask timed out on [Actor[akka://eclair-node/user/$l#134241942]] after [30000 ms]. Message of type [fr.acinq.eclair.payment.send.PaymentInitiator$SendPaymentToNode]. A typical reason for AskTimeoutException is that the recipient actor didn't send a reply. https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L138

This is considered a payment failure by parts of the code, and assumes the payment is not going to be settled after: https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L144 https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L141 https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L146

The best way to fix this is to check the payment status after an error, and when not sure, always consider a payment still in flight.

PoC

A very simple way to exploit this is:

Create a hold invoice
Pay the invoice with the LNbits server backed by an Eclair node, until it times out
Settle the hold invoice

Impact

This vulnerability can lead to a total loss of funds for the node backend.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-34694

GHSA ID

GHSA-3j4h-h3fp-vwww

EPSS Score

0.20423%

CWE

CWE-754

Published

6/17/2024

Updated

6/17/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lnbits	pip	< 0.12.6	0.12.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key elements in eclair.py's payment handling: 1) The use of blocking requests with a 30s timeout (line 138), 2) Immediate error assumption via raise_for_status() (line 141), and 3) Payment failure determination based solely on initial response status (lines 144, 146). Together these create an improper exceptional condition check (CWE-754) by not verifying actual payment state after timeout. The function's error handling flow makes it vulnerable to the described race condition attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry P*yin* invoi**s in **l*ir t**t *o not **t s*ttl** wit*in t** int*rn*l tim*out (**out **s) l*** to * p*ym*nt **in* *onsi**r** **il**, *v*n t*ou** it m*y still ** in *li**t. ### **t*ils Usin* `*lo*kin*: tru*` on t** *PI **ll will l*** to

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y *l*m*nts in **l*ir.py's p*ym*nt **n*lin*: *) T** us* o* *lo*kin* r*qu*sts wit* * **s tim*out (lin* ***), *) Imm**i*t* *rror *ssumption vi* r*is*_*or_st*tus() (lin* ***), *n* *) P*ym*nt **ilur* **t*rmin*tion **s*

8.1

Basic Information

Concerned about an active attack path?

CVE-2024-34694: LNbits improperly handles potential network and payment failures when using Eclair backend

Summary

Details

PoC

Impact

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI