CVE-2023-7345 Overview
CVE-2023-7345 affects Ledger Live when bundled with vulnerable versions of the @ledgerhq/hw-app-eth library prior to 6.34.7. The flaw is an integer parsing vulnerability in the handling of EIP-712 typed data messages. When hexadecimal field values contain an odd number of characters, the library parses them incorrectly. Attackers can craft typed data so that users sign truncated or misinterpreted values. This lets adversaries obtain signatures that authorize unintended blockchain transactions, including asset transfers at incorrect amounts. The issue is categorized under CWE-704: Incorrect Type Conversion or Cast.
Critical Impact
Attackers can trick Ledger Live users into signing EIP-712 messages that authorize transfers at amounts different from what was displayed, leading to direct loss of cryptocurrency assets.
Affected Products
- Ledger Live integrating @ledgerhq/hw-app-eth versions prior to 6.34.7
- Ethereum dApps and wallets consuming the affected hw-app-eth library
- Any downstream JavaScript/TypeScript project depending on vulnerable hw-app-eth releases
Discovery Timeline
- 2026-05-19 - CVE-2023-7345 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2023-7345
Vulnerability Analysis
The vulnerability resides in how @ledgerhq/hw-app-eth parses hexadecimal field values inside EIP-712 typed data structures. EIP-712 defines a standard for hashing and signing typed structured data on Ethereum. Ledger Live relies on hw-app-eth to translate these messages into instructions sent to the Ledger hardware device for user confirmation.
When a hexadecimal value contains an odd number of characters, the parser mishandles the conversion. Numeric fields are truncated or reinterpreted before being displayed and signed. The signed payload therefore does not match what the user reasonably expects. This breaks the core trust assumption of hardware wallets: that the value confirmed on-device equals the value authorized on-chain.
Root Cause
The root cause is incorrect type conversion during hexadecimal field decoding. Standard hex parsing requires byte-aligned input of even length. The library does not normalize odd-length hex strings before integer conversion. The resulting integer differs from the value the relying application or user intended to encode, producing a signature over malformed data.
Attack Vector
An attacker hosts a malicious dApp or compromises a legitimate one, then prompts the user to sign an EIP-712 message containing crafted odd-length hexadecimal fields. The user reviews a value that appears legitimate, but the cryptographic signature commits to a different integer value. The attacker submits the resulting signature on-chain to execute unintended token approvals or transfers. Exploitation requires user interaction in the form of approving the signing prompt, but does not require additional privileges or authentication. See the Ledger Donjon Security Briefing and the VulnCheck Advisory for protocol-level details.
No verified exploitation code is available. The mechanism is described in prose to avoid fabricating proof-of-concept content.
Detection Methods for CVE-2023-7345
Indicators of Compromise
- Outbound blockchain transactions from user wallets that do not match approved amounts shown in dApp interfaces.
- Ledger Live or downstream wallet builds shipping @ledgerhq/hw-app-eth versions earlier than 6.34.7.
- EIP-712 signing requests containing odd-length hexadecimal values in numeric typed fields.
Detection Strategies
- Inventory all internal applications and developer workstations for the vulnerable hw-app-eth dependency using SBOM or npm ls @ledgerhq/hw-app-eth.
- Inspect captured EIP-712 payloads for hex string fields whose length is not a multiple of two, which is a strong signal of malformed input.
- Correlate signed transaction values with the originating dApp request to identify mismatches between displayed and on-chain amounts.
Monitoring Recommendations
- Monitor package registries and CI pipelines for installations of @ledgerhq/hw-app-eth below 6.34.7 and fail builds that resolve to vulnerable versions.
- Log and review EIP-712 signing events from enterprise wallets, alerting on unusual approval amounts or unfamiliar spender addresses.
- Track on-chain activity from known corporate wallets and flag transfers that diverge from approved treasury workflows.
How to Mitigate CVE-2023-7345
Immediate Actions Required
- Upgrade @ledgerhq/hw-app-eth to version 6.34.7 or later in every application and rebuild all downstream wallet integrations.
- Update Ledger Live to the latest vendor release that bundles the patched library.
- Audit recent EIP-712 signatures generated by treasury or operational wallets for anomalies in value fields.
Patch Information
Ledger remediated the integer parsing flaw in @ledgerhq/hw-app-eth version 6.34.7. Consumers of the library must update their package.json constraints and reinstall dependencies. Refer to the Ledger Donjon Security Briefing LSB-020 for the vendor disclosure and to the VulnCheck Advisory for additional technical context.
Workarounds
- Disable or block EIP-712 signing flows in internal applications until the patched library is deployed.
- Restrict use of Ledger-integrated wallets to vetted dApps when an immediate update is not feasible.
- Require manual transaction value verification against on-chain simulators such as Tenderly before broadcasting signed payloads.
# Configuration example
npm install @ledgerhq/hw-app-eth@^6.34.7
npm ls @ledgerhq/hw-app-eth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
