GHSA-x442-m7cc-hr92: kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy

March 12, 2026

When inner CPI instructions use instruction types not recognized by Kora’s parser (including Token-2022 extension instructions like ConfidentialTransfer, TransferFeeExtension::WithdrawWithheldTokens, etc.), they are reconstructed as stub instructions with empty accounts and empty data. These stubs fail deserialization during fee payer policy validation and are silently skipped, meaning any fee payer usage within those instructions goes completely unchecked.

References

github.com/advisories/GHSA-x442-m7cc-hr92
github.com/solana-foundation/kora
github.com/solana-foundation/kora/security/advisories/GHSA-x442-m7cc-hr92

Code Behaviors & Features

Detect and mitigate GHSA-x442-m7cc-hr92 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →