CVE-2025-68113

Name of the Vulnerable Software and Affected Versions ALTCHA versions prior to 1.0.0 (Golang package) ALTCHA versions prior to 1.0.0 (Rubygem package) ALTCHA versions prior to 1.0.0 (pip package) ALTCHA versions prior to 1.0.0 (Erlang package) ALTCHA versions prior to 1.4.1 (altcha-lib npm package) ALTCHA versions prior to 1.3.1 (altcha-org/altcha Composer package) ALTCHA versions prior to 1.3.0 (org.altcha:altcha Maven package)

Description A cryptographic semantic binding flaw exists in ALTCHA libraries, potentially enabling replay attacks. The HMAC signature does not sufficiently bind challenge parameters to the nonce, allowing an attacker to modify the expiration value of a valid proof-of-work submission. This could allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling. The issue impacts abuse-prevention mechanisms like rate limiting and bot mitigation but does not directly affect data confidentiality or integrity. The flaw arises from a lack of explicit semantic separation between challenge parameters and the nonce during HMAC computation.

Recommendations Upgrade to version 1.0.0 of the altcha Golang package. Upgrade to version 1.0.0 of the altcha Rubygem package. Upgrade to version 1.0.0 of the altcha pip package. Upgrade to version 1.0.0 of the altcha Erlang package. Upgrade to version 1.4.1 of the altcha-lib npm package. Upgrade to version 1.3.1 of the altcha-org/altcha Composer package. Upgrade to version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, append a delimiter to the end of the salt value prior to HMAC computation (for example, <salt>?expires=<time>&).