CVE-2024-48915

CVE-2024-48915 is a high-severity vulnerability with a CVSS 4.0 base score of 8.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-295.

Key facts

Description

Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in `lib/agent/certificate.dart` does not occur properly. During the delegation verification in the `_checkDelegation` function, the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. The certificate’s timestamp, i.e /time path, is also not verified, meaning that the certificate effectively has no expiration time. Version 1.0.0-dev.29 implements appropriate certificate verification.

Frequently asked questions

What is CVE-2024-48915?
Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in `lib/agent/certificate.dart` does not occur properly. During the delegation verification in the `_checkDelegation` function, the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. The certificate’s timestamp, i.e /time path, is also not verified, meaning that the certificate effectively has no expiration time. Version 1.0.0-dev.29 implements appropriate certificate verification.
How severe is CVE-2024-48915?
CVE-2024-48915 has a CVSS 4.0 base score of 8.7, rated high severity.
Is CVE-2024-48915 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2024-48915?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2024-48915 have an EU (EUVD) identifier?
Yes. CVE-2024-48915 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3038.
When was CVE-2024-48915 published?
CVE-2024-48915 was published on 2024-10-15 and last updated on 2026-06-17.

References

Other CWE-295 (Improper Certificate Validation) vulnerabilities

Browse all CWE-295 (Improper Certificate Validation) vulnerabilities →