CVE-2024-34694

Name of the Vulnerable Software and Affected Versions LNbits versions prior to 0.12.6

Description Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) can lead to a payment being considered failed, even though it may still be in flight. This issue can result in a total loss of funds for the node backend. The problem arises when using blocking: true on the API call, leading to a timeout error if a payment does not get settled within the 30s timeout.

Recommendations For versions prior to 0.12.6, update to version 0.12.6 to prevent loss of funds due to unsettled invoices. As a temporary workaround, consider checking the payment status after an error and always assume a payment is still in flight when unsure. Restricting the use of blocking: true on API calls until the issue is resolved can also help minimize the risk of exploitation.