The vulnerability CVE-2025-69287 affects the BSV Blockchain TypeScript SDK (ts-sdk) prior to version 2.0.0 and is classified under CWE-573, indicating improper following of specification by the caller. The root cause lies in the cryptographic signature preparation for BRC-104 mutual authentication, specifically in the Peer.ts file's `processInitialRequest` and `processInitialResponse` methods. The SDK concatenates two base64-encoded nonce strings (`message.initialNonce` and `sessionNonce`) and then decodes the concatenated string using `base64ToBytes()`. This approach is flawed because concatenating base64 strings before decoding does not yield the correct combined byte array, resulting in a signature data length of approximately 32-34 bytes instead of the expected 64 bytes. Since BRC-104 authentication depends on precise cryptographic signatures to establish mutual trust between peers, this discrepancy causes signature mismatches between the TypeScript SDK and other SDK implementations such as Go and Python. Consequently, cross-implementation authentication fails, opening the door for attackers to exploit this inconsistency to bypass authentication checks. Although no known exploits have been reported in the wild, the vulnerability compromises the integrity and availability of the authentication mechanism within blockchain applications relying on this SDK. The issue was addressed in version 2.0.0 of the SDK, which ensures consistent signature generation across all SDK implementations, restoring proper mutual authentication.

For European organizations utilizing the BSV Blockchain TypeScript SDK in their blockchain applications, this vulnerability poses a risk to the integrity and availability of authentication processes. Attackers exploiting this flaw could bypass mutual authentication, potentially allowing unauthorized access to blockchain nodes or services, leading to unauthorized transactions, data manipulation, or denial of service. Given the reliance on blockchain for financial services, supply chain management, and identity verification in Europe, such breaches could undermine trust, cause financial losses, and disrupt critical operations. The incompatibility between SDK implementations may also lead to interoperability issues, affecting cross-platform blockchain applications and partnerships. Although no active exploits are known, the medium severity and ease of exploitation without privileges or complex user interaction warrant prompt attention to prevent potential attacks.

European organizations should immediately upgrade to version 2.0.0 or later of the BSV Blockchain TypeScript SDK to ensure correct signature generation and mutual authentication. In environments where immediate upgrade is not feasible, organizations should implement strict network segmentation and access controls around blockchain nodes to limit exposure to untrusted peers. Additionally, monitoring authentication logs for anomalies or repeated authentication failures can help detect exploitation attempts. Developers should audit any custom implementations of BRC-104 authentication to verify correct nonce handling and signature preparation. Employing cryptographic validation tests across SDK implementations before deployment can prevent interoperability issues. Finally, organizations should maintain up-to-date inventories of blockchain SDK versions in use and establish patch management processes specific to blockchain components.