A critical security vulnerability has been discovered in the widely-used sha.js npm package, exposing millions of applications to sophisticated hash manipulation attacks that could compromise cryptographic operations and enable unauthorized access to sensitive systems.
The vulnerability, designated CVE-2025-9288, affects all versions up to 2.4.11 of the library, which has accumulated over 14 million downloads across the JavaScript ecosystem.
Vulnerability Details and Attack Vectors
The security flaw stems from missing input type validation within the sha.js library’s hash calculation mechanism, allowing attackers to manipulate hash states through carefully crafted JSON-stringifiable input.
| CVE Details | Information |
| CVE ID | CVE-2025-9288 |
| Severity | Critical |
| CVSS v4 Score | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N |
| Affected Package | sha.js (npm) |
| Affected Versions | ≤2.4.11 |
Security researcher ChALkeR discovered that malicious actors can exploit this weakness to rewind hash states, convert tagged hashes into untagged variants, and generate hash collisions that bypass security controls.
The vulnerability manifests in three primary attack scenarios. First, attackers can trigger hash state rewinds using objects with negative length properties, effectively rolling back the cryptographic state to previous values.
Second, the flaw enables value miscalculation attacks where specially crafted objects can produce identical hash outputs for different input data, creating dangerous collision scenarios.
Third, the vulnerability allows for denial-of-service attacks by providing malformed length values that cause the library to hang indefinitely.
The vulnerability has been assigned a critical CVSS v4 base score, reflecting its severe potential impact on both vulnerable and subsequent systems.
The attack vector operates over network connections with high complexity requirements but no user interaction, making it particularly dangerous for automated exploitation scenarios.
The sha.js maintainers have addressed the vulnerability in version 2.4.12, which includes comprehensive input type validation to prevent the identified attack vectors.
Organizations utilizing the affected library should immediately update to the patched version and conduct thorough security assessments of systems that may have been exposed to malicious hash manipulation attempts.
The discovery underscores the critical importance of robust input validation in cryptographic libraries and highlights the cascading security risks that can emerge from seemingly minor implementation oversights in widely-adopted open-source components.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
