CVE-2025-9288

Name of the Vulnerable Software and Affected Versions sha.js versions through 2.4.11

Description An improper input validation vulnerability exists in sha.js, allowing for input data manipulation. This flaw can lead to hash collisions and potentially private key extraction, threatening web applications. The vulnerability stems from missing input type checks, which permit the use of data types other than expected, resulting in undefined behavior, including hash state rewinding and the potential to transform tagged hashes into untagged hashes. Exploitation can involve manipulating the length property of input data to generate collisions or cause denial-of-service conditions.

Recommendations Update sha.js to version 2.4.12 or later.