An integer parsing flaw in the ledgerhq/hw-app-eth application allows integers represented as hexadecimal strings with an odd number of characters to be parsed incorrectly. This leads to signature requests signed over truncated or misinterpreted message values. When attackers control the data sent to the device, they can obtain signatures that authorize unintended blockchain transactions, such as transferring assets for incorrect amounts. The likely attack vector is an attacker controlling the input of EIP‑712 typed data sent to the device, typically via malicious software or a compromised application.

Affected products are Ledger Live and the Ledger hardware wallet sub‑app hw‑app‑eth from the Ledger team. Vulnerable versions are all releases of ledgerhq/hw-app-eth earlier than 6.34.7. Users running Ledger Live or the sub‑app on those firmware versions are at risk.

The CVSS score of 6.9 indicates a moderate to high severity of the flaw. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, but the attack scenario requires an adversary to supply malicious EIP‑712 typed data to the device, which is feasible when the device is connected to an untrusted computer or a compromised application. The likely attack vector is the injection of malicious EIP‑712 messages via an untrusted computer or malicious application. Once the flailed formatting is exploited, signatures obtained can be used to authorize unauthorized transactions with potentially significant financial impact.