CVE-2025-27408: Manifest Uses a One-Way Hash without a Salt

March 3, 2025 (updated March 4, 2025)

Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.

References

github.com/advisories/GHSA-h8h6-7752-g28c
github.com/mnfst/manifest
github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69
github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c
nvd.nist.gov/vuln/detail/CVE-2025-27408

Detect and mitigate CVE-2025-27408 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →