cipher-base is missing type checks, leading to hash rewind and passing on crafted data
This affects e.g. create-hash (and crypto-browserify), so I'll describe the issue against that package Also affects create-hmac and other packages Node.js createHash works only on strings or instances of Buffer, TypedArray, or DataView. Missing input type checks in npm create-hash polyfill of Node.js createHash lead to it calculating invalid values, hanging, rewinding the hash state (including turning a tagged hash into an untagged hash) on malicious JSON-stringifyable input