Platform
nodejs
Component
sha.js
Fixed in
2.4.12
2.4.12
CVE-2025-9288 represents a critical vulnerability discovered in the sha.js library, a JavaScript implementation of SHA-1, SHA-256, SHA-3, and SHA-512 hashing algorithms. This flaw stems from inadequate input type validation, allowing attackers to inject malicious payloads that can manipulate the hash state. Affected versions of Node.js utilizing sha.js are susceptible, and a fix is available in version 2.4.12.
The core of this vulnerability lies in the lack of robust input validation within sha.js. An attacker can craft payloads that bypass the expected data types, injecting invalid values into the hashing process. This can lead to several severe consequences, including the hash state becoming unstable, potentially hanging the application, or even reverting to an untagged hash state. The ability to manipulate the hash state opens the door to various attacks, such as bypassing integrity checks, forging digital signatures, and potentially compromising the confidentiality and integrity of data. This vulnerability shares similarities with other hash manipulation attacks where improper input handling leads to unpredictable and exploitable behavior.
This vulnerability was publicly disclosed on August 21, 2025. A proof-of-concept (PoC) demonstrating the vulnerability is available, indicating a relatively low barrier to entry for exploitation. The EPSS score is likely to be medium to high given the critical CVSS score and the availability of a PoC. It is crucial to assess the potential impact and prioritize remediation efforts accordingly.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9288 is to immediately upgrade to sha.js version 2.4.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by strictly validating all input data passed to sha.js functions. This could involve whitelisting allowed data types and lengths, or using a more robust input validation library. While not a complete solution, this can reduce the attack surface. Monitor your Node.js applications for unusual behavior or errors related to hashing operations. After upgrading, confirm the fix by running test cases that specifically target the vulnerable input validation logic.
Update the sha.js dependency to a version later than 2.4.11. This can be done by running `npm update sha.js` or `yarn upgrade sha.js` in your project. Verify that the installed version is correct after the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9288 is a critical vulnerability in sha.js, a JavaScript hashing library, allowing attackers to manipulate hash states due to missing input type checks. It has a CVSS score of 9.1.
You are affected if you are using a version of sha.js prior to 2.4.12 in your Node.js project and handle untrusted input.
Upgrade to sha.js version 2.4.12 or later. If immediate upgrade is not possible, implement strict input validation for data passed to sha.js functions.
While active exploitation is not confirmed, a public proof-of-concept exists, indicating a potential for exploitation.
Refer to the GitHub Security Advisory for GHSA-cpq7-6gpm-g9rc: https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.