Platform
nodejs
Component
cipher-base
Fixed in
1.0.5
1.0.5
CVE-2025-9287 is a critical vulnerability affecting the create-hash npm package and related dependencies like crypto-browserify. This flaw stems from insufficient input type validation, allowing attackers to provide malformed data to the hashing function. This can lead to unpredictable behavior, including hash state corruption, application hangs, and potentially, the ability to manipulate hash values, impacting data integrity and security. The vulnerability was published on 2025-08-21 and a fix is available in version 1.0.5.
The core of the vulnerability lies in the create-hash function's lack of robust input validation. Instead of strictly enforcing strings or Buffer objects, the function accepts other data types. An attacker can craft malicious input that, when processed by the hashing algorithm, causes the internal state of the hash object to become corrupted. This corruption can manifest as application hangs, unexpected errors, or, more critically, the ability to rewind the hash state, effectively allowing an attacker to manipulate the resulting hash value. This could be exploited to bypass integrity checks, forge digital signatures, or compromise the security of any application relying on the affected hashing functions. The impact extends beyond just create-hash; packages like create-hmac and others that depend on this polyfill are also vulnerable.
As of the publication date (2025-08-21), the vulnerability is publicly known with a proof-of-concept available. The CVSS score is 9.1 (CRITICAL), indicating a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but given the severity and availability of a PoC, it is likely to be added. Active exploitation campaigns are possible, particularly targeting applications that rely on vulnerable versions of create-hash without proper input validation.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9287 is to upgrade the create-hash package and its dependencies to version 1.0.5 or higher. This version includes the necessary input validation to prevent the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by validating the input type before passing it to the createHash function. This could involve checking if the input is a string or a Buffer object. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly address this vulnerability, as it occurs within the application code. Monitor npm package dependencies for updates and security advisories.
Update the cipher-base library to a version later than 1.0.4. This can be achieved by updating your project's dependencies that use cipher-base. Run `npm update cipher-base` or `yarn upgrade cipher-base` to update to the latest available version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9287 is a critical vulnerability in the create-hash npm package that allows attackers to manipulate hash values due to missing input type checks, potentially leading to application hangs or data corruption.
You are affected if your Node.js application uses a version of create-hash prior to 1.0.5, or any package that depends on a vulnerable version of create-hash.
Upgrade the create-hash package to version 1.0.5 or higher. If immediate upgrade is not possible, implement input validation before passing data to the hashing function.
While there's no confirmed widespread exploitation, the vulnerability is publicly known with a PoC, making active exploitation a possibility.
Refer to the npm advisory and the create-hash repository for updates and details: [https://www.npmjs.com/advisories/1027](https://www.npmjs.com/advisories/1027)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.