Skip to content

[Aikido] Fix 4 critical issues in thirdweb, wagmi, @react-native-community/cli and 1 more #375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aikido-autofix wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Aikido] Fix 4 critical issues in thirdweb, wagmi, @react-native-community/cli and 1 more #375

aikido-autofix wants to merge 1 commit into from
+11,311 −12,632

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Jan 25, 2026

Upgrade thirdweb, wagmi, and React Native CLI to patch critical RCE vulnerability in Metro server and mitigate key compromise risks in transaction signing.

✅ 3 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
AIKIDO-2025-10854
 
🚨 CRITICAL
 Metro dev server in React Native CLI allows unauthenticated remote attackers to inject and execute arbitrary OS commands via crafted POST requests, with potential for full remote code execution, especially on Windows systems. 
AIKIDO-2024-10466
 
MEDIUM
 Signature algorithm vulnerability allows private key recovery by exploiting nonce reuse, enabling attackers to compromise cryptographic system security through repeated transaction signatures. 
GHSA-qj3p-xc97-xw74
 
MEDIUM
 Malicious debug@4.4.2 npm package could compromise dApp-to-wallet communication in browser contexts, potentially enabling unauthorized wallet interactions during a specific 2.5-hour window on Sept 8th, 2025.
🔗 Related Tasks

@aikido-autofix aikido-autofix bot requested a review from coffeexcoin as a code owner January 25, 2026 23:34
@aikido-autofix aikido-autofix bot added the dependencies Pull requests that update a dependency file label Jan 25, 2026
@aikido-autofix aikido-autofix bot requested a review from cygaar as a code owner January 25, 2026 23:34
@changeset-bot
Copy link

changeset-bot bot commented Jan 25, 2026

⚠️ No Changeset found

Latest commit: 4389075

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@cursor
Copy link

cursor bot commented Jan 25, 2026
edited
Loading

PR Summary

  • Add pnpm overrides in root package.json to pin @react-native-community/cli and @react-native-community/cli-server-api to 17.0.1
  • Update devDependencies:
    • packages/agw-react: bump thirdweb to 5.72.0-nightly-393d0cfb504401d6449a75cbe8422946d157fc93-20241202000349
    • packages/web3-react-agw: bump wagmi to ^2.17.1
  • Minor JSON formatting/reordering in package.json files (arrays, peer deps order)

Written by Cursor Bugbot for commit 4389075. This will update automatically on new commits. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coffeexcoin coffeexcoin Awaiting requested review from coffeexcoin coffeexcoin is a code owner

@cygaar cygaar Awaiting requested review from cygaar cygaar is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant