CVE-2026-40069

Name of the Vulnerable Software and Affected Versions BSV Ruby SDK versions 0.1.0 through 0.8.1

Description The BSV Ruby SDK's ARC broadcaster incorrectly treats certain failure statuses from the ARC endpoint as successful broadcasts. Specifically, responses with txStatus values of INVALID, MALFORMED, MINED IN STALE BLOCK, or containing ORPHAN in extraInfo or txStatus are not recognized as failures. This can lead applications to incorrectly trust transactions that were not accepted by the network, potentially impacting integrity. The issue stems from a narrow failure predicate in the BSV::Network::ARC module. The Content-Type is sent as application/octet-stream instead of application/json, and headers XDeployment-ID, X-CallbackUrl, and X-CallbackToken are not sent. The vulnerability affects integrity, as callers receive a success response for broadcasts that were actually rejected.

Recommendations Upgrade to BSV Ruby SDK version 0.8.2 or later. This version expands the failure predicate to correctly identify and handle the aforementioned failure statuses.