GHSA-x5m4-43jf-hh65
HIGHsoroban-fixed-point-math has Incorrect Rounding and Overflow Handling in Signed Fixed-Point Math with Negatives
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
soroban-fixed-point-math🦀soroban-fixed-point-mathReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Incorrect rounding direction for signed mul and div operations
The mulDiv(x, y, z) function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$.
This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are fixed_div_floor and fixed_div_ceil, as they often use non-constant numbers as the divisor $z$ in mulDiv.
This error is present in all signed FixedPoint and SorobanFixedPoint implementations, including i64, i128, and I256.
Negative Overflow in i64
The mulDiv(x, y, z) function for i64 used the i128 type to handle "phantom overflows". These are overflows that occur intermediately during a calculation, like when computing the intermediate product $x * y$. When the final result of mulDiv was computed in i128, it was scaled back down to i64 before returning. While the code verified that the result did not exceed i64::MAX, it did not check against i64::MIN.
This caused negative results smaller than i64:MIN to wrap around to a large positive number instead of being caught as an overflow.
This error only exists for the FixedPoint implementation of i64.
Patches
- v1.3.0 users should upgrade to patch v1.3.1
- v1.4.0 users should upgrade to patch v1.4.1
All versions >=v1.4.1 contain the patch.
Workarounds
There are no known workarounds. Upgrade to the patched version.
Credits
soroban-fixed-point-math would like to thank the team at Certora for discovering and reporting the issue.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | soroban-fixed-point-math | ≥ 1.4.0&&< 1.4.1 | 1.4.1 |
| 🦀crates.io | soroban-fixed-point-math | ≥ 1.3.0&&< 1.3.1 | 1.3.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for soroban-fixed-point-math. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update soroban-fixed-point-math to 1.4.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x5m4-43jf-hh65 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x5m4-43jf-hh65 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-x5m4-43jf-hh65. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-x5m4-43jf-hh65 in your dependencies?
O3 detects GHSA-x5m4-43jf-hh65 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.