CVE-2025-9287: cipher-base is missing type checks, leading to hash rewind and passing on crafted data
This affects e.g. create-hash (and crypto-browserify), so I’ll describe the issue against that package
Also affects create-hmac and other packages
Node.js createHash works only on strings or instances of Buffer, TypedArray, or DataView.
Missing input type checks in npm create-hash polyfill of Node.js createHash lead to it calculating invalid values, hanging, rewinding the hash state (including turning a tagged hash into an untagged hash) on malicious JSON-stringifyable input
References
- github.com/advisories/GHSA-cpq7-6gpm-g9rc
- github.com/browserify/cipher-base
- github.com/browserify/cipher-base/commit/8fd136432ca298a664f5637629cf2b42a6c7f294
- github.com/browserify/cipher-base/pull/23
- github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc
- nvd.nist.gov/vuln/detail/CVE-2025-9287
Code Behaviors & Features
Detect and mitigate CVE-2025-9287 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →