GHSA-QR2G-P6Q7-W82M: GHSA-qr2g-p6q7-w82m: Critical Payment Verification Bypass in Coinbase x402 SDK (Solana)
Source: Dev.to
Vulnerability Overview
Vulnerability ID: GHSA-QR2G-P6Q7-W82M
CVSS Score: 9.9 (Critical)
Published: 2026-03-07
A critical vulnerability exists in the Coinbase x402 SDK affecting the verification of Solana (SVM) payments. The flaw is located in the facilitator component, which acts as an intermediary for validating automated HTTP 402 payments. Improper verification of Ed25519 cryptographic signatures in the Solana implementation allows an attacker to bypass payment requirements, granting unauthorized access to monetized APIs, compute resources, or digital goods without settling the required transaction on the blockchain. The vulnerability impacts the @x402/svm npm package, the x402 PyPI package, and the Go SDK.
TL;DR
The Coinbase x402 SDK contains a critical flaw in its Solana payment verification logic. Attackers can spoof payment signatures to bypass fees for APIs and services using the protocol. This affects versions prior to:
- npm: < 2.6.0
- Python: < 2.3.0
- Go: < 2.5.0
Immediate upgrade is required for all facilitators.
Exploit Status
⚠️ POC Available
Technical Details
- CWE ID: CWE‑347
- Attack Vector: Network
- Affected Protocol: Solana (SVM)
- Patch Date: 2026-03-07
Affected Systems
- Node.js applications using
@x402/svm - Python applications using
x402 - Go applications using
github.com/coinbase/x402/go
| Component | Affected Versions | Fixed In |
|---|---|---|
@x402/svm (npm) | < 2.6.0 | 2.6.0 |
x402 (PyPI) | < 2.3.0 | 2.3.0 |
github.com/coinbase/x402/go | < 2.5.0 | 2.5.0 |
Mitigation Strategies
- Upgrade all x402 SDK components to the latest patched versions immediately.
- Review access logs for suspicious activity, such as repeated signatures or high‑volume requests from a single IP without corresponding on‑chain volume.
- If immediate patching is not possible, temporarily disable Solana (SVM) payment support and fallback to EVM‑only payments.
Remediation Steps
- Identify all services acting as x402 facilitators.
- Node.js / TypeScript projects
npm install @x402/svm@latest # installs version 2.6.0 or higher - Python projects
pip install x402 --upgrade # installs version 2.3.0 or higher - Go projects
# edit go.mod to require the patched version go get github.com/coinbase/x402/go@v2.5.0 - Restart all facilitator services to load the new logic.