CVE-2025-9287

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions:

cipher-base versions through 1.0.4

Description:

An improper input validation issue exists in cipher-base, allowing input data manipulation. This is due to missing input type checks, which can lead to invalid value calculations, hash state rewinding (potentially turning a tagged hash into an untagged hash), and denial-of-service conditions when processing malicious JSON-stringifyable input. Specifically, manipulating the length property within the input data can cause unexpected behavior in the hashing process. This can potentially lead to collisions, incorrect hash values, and in some cases, even private key extraction from cryptographic libraries.

Recommendations:

Update cipher-base to a version beyond 1.0.4.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2025-10188

CVE-2025-9287

DLA-4291-1

DSA-5986-1

GHSA-95M3-7Q98-8XR5

GHSA-CPQ7-6GPM-G9RC

OPENSUSE-SU-2025:15484-1

USN-7746-1

Affected Products

Debian

Linuxmint

Ubuntu

Cipher-Base

CVE-2025-9287

Name of the Vulnerable Software and Affected Versions:

Description:

Recommendations:

Weakness Enumeration

Related Identifiers

Affected Products

References · 36