CVE-2024-31995

Name of the Vulnerable Software and Affected Versions @digitalbazaar/zcap versions prior to 9.0.1

Description The issue arises when invoking a capability with a chain depth of 2, where the expires property is not properly checked against the current date or other date param. This can allow invocations outside of the original intended time period. However, a zcap still cannot be invoked without being able to use the associated private key material.

Recommendations For versions prior to 9.0.1, update to version 9.0.1 to fix expiration checking. As a temporary workaround, one may revoke a zcap at any time.