cipher-base is missing type checks, leading to hash rewind and passing on crafted data
This affects e.g. create-hash (and crypto-browserify), so I'll describe the issue against that package Also affects create-hmac and other packages Node.js createHash works only on strings or instances of Buffer, TypedArray, or DataView. Missing input type checks (in npm create-hash polyfill of Node.js createHash) can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into …