CVE-2023-31290
CVE-2023-31290 is a medium-severity vulnerability in Trustwallet Trust Wallet Browser Extension with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-338.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 1% (58th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-338
- Affected product: Trustwallet Trust Wallet Browser Extension
- Published:
- Last modified:
Description
Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.
Frequently asked questions
- What is CVE-2023-31290?
- Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.
- How severe is CVE-2023-31290?
- CVE-2023-31290 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2023-31290 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (58th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-31290?
- CVE-2023-31290 primarily affects Trustwallet Trust Wallet Browser Extension. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-31290?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-31290 published?
- CVE-2023-31290 was published on 2023-04-27 and last updated on 2026-06-17.
References
- https://blog.ledger.com/Funds-of-every-wallet-created-with-the-Trust-Wallet-browser-extension-could-have-been-stolen/
- https://community.trustwallet.com/t/browser-extension-wasm-vulnerability-postmortem/750787
- https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions/750786
- https://github.com/trustwallet/wallet-core/compare/3.1.0...3.1.1
- https://twitter.com/TrustWallet/status/1649699428733947906
Affected products (2)
- cpe:2.3:a:trustwallet:trust_wallet_browser_extension:*:*:*:*:*:*:*:*
- cpe:2.3:a:trustwallet:trust_wallet_core:*:*:*:*:*:*:*:*
Other CWE-338 vulnerabilities
- CVE-2026-56141 — Critical (CVSS 9.8): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account…
- CVE-2026-3256 — Critical (CVSS 9.8): HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults…
- CVE-2025-15604 — Critical (CVSS 9.8): Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions…
- CVE-2025-40926 — Critical (CVSS 9.8): Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session…
- CVE-2026-2439 — Critical (CVSS 9.8): Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id…
- CVE-2025-15578 — Critical (CVSS 9.8): Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the…