-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| altcha | npm | <= 0.8.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in a cryptanalytic break of Altcha's proof-of-work obfuscation mode. The root cause is the numberToUint8Array function in src/helpers.ts, which generates a predictable Initialization Vector (IV) from a nonce using simple modulo and division operations. This creates a linear relationship that allows an attacker to mathematically deduce the nonce in constant time, bypassing the intended computational work.
The clarifyData function is the higher-level consumer of this flawed logic. It attempts to deobfuscate the challenge by iterating through nonces and using numberToUint8Array to generate IVs for decryption. While a legitimate client would execute this brute-force search, the vulnerability in numberToUint8Array makes this entire process moot.
Both functions are identified as vulnerable. numberToUint8Array contains the fundamental cryptographic weakness, and clarifyData is the function that implements the vulnerable proof-of-work mechanism that is supposed to be difficult to solve. During a legitimate solving process, both functions would appear in a runtime profile, representing the vulnerable path.
clarifyDatasrc/helpers.ts
numberToUint8Arraysrc/helpers.ts