CVE-2024-45244

MEDIUM

Hyperledger Fabric <3.0.0, <2.5.10 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-45244. PoCs published by shanker-sec.

AI-analyzed exploit summary This repository provides a functional Hyperledger Fabric chaincode that mitigates CVE-2024-45244 by implementing NTP/NTS-based time verification to prevent transaction time manipulation. It includes Go-based chaincode for Fabric 2.4.x and 2.5.x with test cases.

Description

Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window.

Exploits (2)

nomisec WORKING POC 2 stars

by shanker-sec · poc

https://github.com/shanker-sec/hlf-time-oracle

View Code ZIP pw:eip

This repository provides a functional Hyperledger Fabric chaincode that mitigates CVE-2024-45244 by implementing NTP/NTS-based time verification to prevent transaction time manipulation. It includes Go-based chaincode for Fabric 2.4.x and 2.5.x with test cases.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Hyperledger Fabric 2.4.x, 2.5.x

No auth needed

Prerequisites: Hyperledger Fabric network · NTP/NTS server access

MITRE ATT&CK

T1556.003 - Pluggable Authentication Modules

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by shanker-sec · poc

https://github.com/shanker-sec/HLF_TxTime_spoofing

View Code ZIP pw:eip

This repository contains a functional PoC demonstrating transaction time spoofing in Hyperledger Fabric (CVE-2024-45244). It includes vulnerable chaincode using GetTxTimestamp() and secure variants using NTP/NTS/local time for validation.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Hyperledger Fabric v2.5.5 and v3.0.0-beta

No auth needed

Prerequisites: Access to Hyperledger Fabric network · Ability to manipulate local system time

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://github.com/shanker-sec/HLF_TxTime_spoofing

Various Sources

https://github.com/shanker-sec/hlf-time-oracle

Patch

https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0059

EPSS Percentile 43.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-294

Status published

Products (2)

hyperledger/fabric < 2.5.9

hyperledger/fabric 0Go

Published Aug 25, 2024

Tracked Since Feb 18, 2026