CVE-2024-41945 Information

Description

fuels-ts is a library for interacting with Fuel v2. The typescript SDK has no awareness of to-be-spent transactions causing some transactions to fail or silently get pruned as they are funded with already used UTXOs. The problem occurs because the fund function in fuels-ts/packages/account/src/account.ts gets the needed ressources statelessly with the function getResourcesToSpend without taking into consideration already used UTXOs. This issue will lead to unexpected SDK behaviour such as a transaction not getting included in the txpool / in a block or a previous transaction silently getting removed from the txpool and replaced with a new one.

Reference

https://github.com/FuelLabs/fuels-ts/security/advisories/GHSA-3jcg-vx7f-j6qf