CVE-2025-9287

Vulnerability

CVE-2025-9287

cipher-base: Cipher-base hash manipulation

ecosystem: redhat:7, redhat:8

An improper input validation vulnerability was found in the cipher-base npm package. Missing input type checks in the polyfill of the Node.js `createHash` function result in invalid value calculations, hanging and rewinding the hash state, including turning a tagged hash into an untagged hash, for malicious JSON-stringifyable inputs.

References

secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2025-9287
secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2389932
secalert@redhat.com: https://github.com/browserify/cipher-base/pull/23
secalert@redhat.com: https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc
secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2025-9287
secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2025-9287

severityI

Important

type: vendor

source: secalert@redhat.com

CVSS3.1

7.5HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L

AV	Network
AC	High
PR	None
UI	None
S	Changed
C	None
I	High
A	Low

source: secalert@redhat.com

　CWE

CWE-20

Improper Input Validation

source: secalert@redhat.com

published: 2025-08-20 21:43:56

modified: 2025-08-29 21:23:02

Detection

redhat:7

OR

unfixedOut of support scope

firefox

package type: source

type: version

unfixedOut of support scope

thunderbird

package type: source

type: version

tag: rhel-7-extras-including-unpatched:37f3937f-8123-7add-abf7-cf9f6a1e892e

redhat:8

OR

unfixedAffected

grafana

package type: source

type: version

tag: rhel-8-including-unpatched:0e04bc73-f78d-8230-a264-85acea86d3a2

Data Sources

RedHat Enterprise Linux CSAF VEX
redhat-vex