Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-9287

Опубликовано: 20 авг. 2025
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.

An improper input validation vulnerability was found in the cipher-base npm package. Missing input type checks in the polyfill of the Node.js createHash function result in invalid value calculations, hanging and rewinding the hash state, including turning a tagged hash into an untagged hash, for malicious JSON-stringifyable inputs.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Affected
Multicluster Engine for Kubernetesmulticluster-engine/console-mce-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-console-plugin-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-api-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-api-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-db-migration-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-db-migration-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel9Affected
OpenShift Serverlessopenshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=2389932cipher-base: Cipher-base hash manipulation

EPSS

Процентиль: 32%
0.00119
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-9287

ubuntu
28 дней назад

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.

nvd логотип

CVE-2025-9287

nvd
28 дней назад

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.

debian логотип

CVE-2025-9287

debian
28 дней назад

Improper Input Validation vulnerability in cipher-base allows Input Da ...

github логотип

GHSA-cpq7-6gpm-g9rc

github
27 дней назад

cipher-base is missing type checks, leading to hash rewind and passing on crafted data

fstec логотип

BDU:2025-10188

CVSS3: 9
fstec
28 дней назад

Уязвимость пакета cipher-base программной платформы Node.js, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 32%
0.00119
Низкий

7.5 High

CVSS3