CVE-2025-9288: sha.js is missing type checks leading to hash rewind and passing on crafted data
This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation.
Missing input type checks lead to it calculating invalid values, hanging, rewinding the hash state (including turning a tagged hash into an untagged hash) on malicious JSON-stringifyable input
References
- github.com/advisories/GHSA-95m3-7q98-8xr5
- github.com/browserify/sha.js
- github.com/browserify/sha.js/commit/f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5
- github.com/browserify/sha.js/pull/78
- github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5
- nvd.nist.gov/vuln/detail/CVE-2025-9288
- www.cve.org/CVERecord?id=CVE-2025-9287
Code Behaviors & Features
Detect and mitigate CVE-2025-9288 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →