CVE-2023-42449 Malicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commits

🗓️ 04 Oct 2023 19:06:50Reported by GoogleType

osv🔗 osv.dev👁 14 Views

Hydra scalability solution for Cardano allows malicious initializer to extract PTs and spoil head initialization, leading to fund loss and potential ransom, and manipulation of committed TxOs

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2023-42449	5 Oct 202300:13	–	circl
CNNVD	Hydra Input Validation Error Vulnerability	4 Oct 202300:00	–	cnnvd
CVE	CVE-2023-42449	4 Oct 202319:06	–	cve
Cvelist	CVE-2023-42449 Malicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commits	4 Oct 202319:06	–	cvelist
EUVD	EUVD-2023-46895	3 Oct 202520:07	–	euvd
NVD	CVE-2023-42449	4 Oct 202320:15	–	nvd
Prion	Design/Logic Flaw	4 Oct 202320:15	–	prion
RedhatCVE	CVE-2023-42449	23 May 202501:59	–	redhatcve
Vulnrichment	CVE-2023-42449 Malicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commits	4 Oct 202319:06	–	vulnrichment

Source	Link
github	www.github.com/input-output-hk/hydra/blob/1e13b60a7b21c5ccd6c36e3cf220547f5d443cef/hydra-node/src/Hydra/Chain/Direct/Tx.hs
github	www.github.com/input-output-hk/hydra/blob/1e13b60a7b21c5ccd6c36e3cf220547f5d443cef/hydra-plutus/src/Hydra/Contract/Initial.hs
github	www.github.com/input-output-hk/hydra/blob/master/CHANGELOG.md
github	www.github.com/input-output-hk/hydra/blob/master/hydra-plutus/src/Hydra/Contract/HeadTokens.hs
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42449.json
github	www.github.com/input-output-hk/hydra/security/advisories/GHSA-9m8q-7wxv-v65p
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-42449

02 Apr 2026 09:21Current

7.9High risk

Vulners AI Score7.9

CVSS 3.18.1

EPSS0.00178