Plattform
nodejs
Komponente
sha.js
Behoben in
2.4.12
2.4.12
CVE-2025-9288 represents a critical vulnerability discovered in the sha.js library, a JavaScript implementation of SHA-1, SHA-256, SHA-3, and SHA-512 hashing algorithms. This flaw stems from inadequate input type validation, allowing attackers to inject malicious payloads that can manipulate the hash state. Affected versions of Node.js utilizing sha.js are susceptible, and a fix is available in version 2.4.12.
The core of this vulnerability lies in the sha.js library's failure to properly validate input types. An attacker can craft malicious payloads that bypass these checks, injecting invalid data into the hashing process. This can lead to several severe consequences. Firstly, the hash state can be manipulated, effectively allowing an attacker to alter the perceived integrity of data. Secondly, the hashing process can hang indefinitely, resulting in a denial-of-service (DoS) condition. Finally, the vulnerability can lead to undefined behavior, making the application unpredictable and potentially exploitable in other ways. The ability to manipulate hash states is particularly concerning, as it could be leveraged to bypass integrity checks and compromise sensitive data.
Exploitation context for CVE-2025-9288 is currently limited, but the availability of a public proof-of-concept (PoC) indicates a potential for rapid exploitation. The vulnerability's critical severity and the ease of crafting malicious payloads suggest a medium probability of exploitation. As of the publication date (2025-08-21), the vulnerability has not been added to the CISA KEV catalog. Active campaigns targeting this vulnerability are not currently known, but the public PoC increases the likelihood of future exploitation attempts.
Applications relying on sha.js for cryptographic hashing, particularly those handling untrusted input, are at significant risk. This includes web applications, backend services, and any Node.js projects utilizing sha.js directly or as a dependency. Projects that have not implemented robust input validation practices are particularly vulnerable.
• nodejs / server:
ps aux | grep sha.js• nodejs / supply-chain:
npm ls sha.js• nodejs / server:
npm audit sha.js• nodejs / server:
find / -name 'sha.js' -type fdisclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-9288 is to immediately upgrade to version 2.4.12 of the sha.js library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by rigorously validating all input data provided to the sha.js library. This could involve whitelisting allowed data types and lengths, or using a more robust input validation library. While not a complete solution, this can reduce the attack surface. Monitor Node.js application logs for unusual hashing behavior or errors related to sha.js. After upgrading, confirm the fix by attempting to reproduce the vulnerability with known malicious payloads and verifying that the hashing process behaves as expected.
Actualice la dependencia sha.js a una versión posterior a la 2.4.11. Esto puede hacerse ejecutando `npm update sha.js` o `yarn upgrade sha.js` en su proyecto. Verifique que la versión instalada sea la correcta después de la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-9288 is a critical vulnerability in sha.js, a JavaScript hashing library, allowing attackers to manipulate hash states due to missing input type checks. It has a CVSS score of 9.1.
You are affected if you are using a version of sha.js prior to 2.4.12 in your Node.js project and handle untrusted input.
Upgrade to sha.js version 2.4.12 or later. If immediate upgrade is not possible, implement strict input validation for data passed to sha.js functions.
While active exploitation is not confirmed, a public proof-of-concept exists, indicating a potential for exploitation.
Refer to the GitHub Security Advisory for GHSA-cpq7-6gpm-g9rc: https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.