प्लेटफ़ॉर्म
nodejs
घटक
cipher-base
में ठीक किया गया
1.0.5
1.0.5
CVE-2025-9287 is a critical vulnerability affecting the create-hash npm package and related dependencies like crypto-browserify. This flaw stems from insufficient input type validation, allowing attackers to provide malformed data to the hashing function. This can lead to unpredictable behavior, including hash state corruption, application hangs, and potentially, the ability to manipulate hash values, impacting data integrity and security. The vulnerability was published on 2025-08-21 and a fix is available in version 1.0.5.
The core of the vulnerability lies in the create-hash function's lack of robust input validation. Instead of strictly enforcing strings or Buffer objects, the function accepts other data types. An attacker can craft malicious input that, when processed by the hashing algorithm, causes the internal state of the hash object to become corrupted. This corruption can manifest as application hangs, unexpected errors, or, more critically, the ability to rewind the hash state, effectively allowing an attacker to manipulate the resulting hash value. This could be exploited to bypass integrity checks, forge digital signatures, or compromise the security of any application relying on the affected hashing functions. The impact extends beyond just create-hash; packages like create-hmac and others that depend on this polyfill are also vulnerable.
As of the publication date (2025-08-21), the vulnerability is publicly known with a proof-of-concept available. The CVSS score is 9.1 (CRITICAL), indicating a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but given the severity and availability of a PoC, it is likely to be added. Active exploitation campaigns are possible, particularly targeting applications that rely on vulnerable versions of create-hash without proper input validation.
Applications built with Node.js that utilize the create-hash package or any of its dependent libraries (e.g., crypto-browserify) are at risk. This includes web applications, desktop applications, and command-line tools. Projects using older versions of npm or those with lax dependency management practices are particularly vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Id• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse | Where-Object {$_.Name -like '*create-hash*'}• generic web:
Inspect npm package.json files for dependencies on vulnerable versions of create-hash (prior to 1.0.5). Use npm ls create-hash to identify vulnerable dependencies in your project.
disclosure
poc
एक्सप्लॉइट स्थिति
EPSS
0.11% (29% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-9287 is to upgrade the create-hash package and its dependencies to version 1.0.5 or higher. This version includes the necessary input validation to prevent the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by validating the input type before passing it to the createHash function. This could involve checking if the input is a string or a Buffer object. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly address this vulnerability, as it occurs within the application code. Monitor npm package dependencies for updates and security advisories.
Actualice la biblioteca cipher-base a una versión posterior a 1.0.4. Esto puede lograrse actualizando las dependencias de su proyecto que utilizan cipher-base. Ejecute `npm update cipher-base` o `yarn upgrade cipher-base` para actualizar a la última versión disponible.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-9287 is a critical vulnerability in the create-hash npm package that allows attackers to manipulate hash values due to missing input type checks, potentially leading to application hangs or data corruption.
You are affected if your Node.js application uses a version of create-hash prior to 1.0.5, or any package that depends on a vulnerable version of create-hash.
Upgrade the create-hash package to version 1.0.5 or higher. If immediate upgrade is not possible, implement input validation before passing data to the hashing function.
While there's no confirmed widespread exploitation, the vulnerability is publicly known with a PoC, making active exploitation a possibility.
Refer to the npm advisory and the create-hash repository for updates and details: [https://www.npmjs.com/advisories/1027](https://www.npmjs.com/advisories/1027)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।