CVE-2025-9288
Vulnerability
CVE-2025-9288
sha.js: Missing type checks leading to hash rewind and passing on crafted data
ecosystem: redhat:7, redhat:8, redhat:9A vulnerability was found in sha.js, where the hashing implementation does not perform sufficient input type validation. The .update() function accepts arbitrary objects, including those with crafted length properties, which can alter the internal state machine of the hashing process. This flaw may result in unexpected behavior such as rewinding the hash state, producing inconsistent digest outputs, or entering invalid processing loops. The issue was introduced due to the reliance on JavaScript object coercion rules rather than enforcing strict buffer or string inputs.
References
- secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2025-9288
- secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2389980
- secalert@redhat.com: https://github.com/browserify/sha.js/pull/78
- secalert@redhat.com: https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5
- secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2025-9288
- secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2025-9287
- secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2025-9288
type: vendor
source: secalert@redhat.com
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
| AV | Network | |
|---|---|---|
| AC | High | |
| PR | None | |
| UI | None | |
| S | Not Changed | |
| C | Low | |
| I | High | |
| A | High |
source: secalert@redhat.com
Improper Input Validation
source: secalert@redhat.com
published: 2025-08-20 21:59:44
modified: 2025-09-01 06:43:45
Detection
OR
firefox
package type: source
tag: rhel-7-extras-including-unpatched:ea4d92b2-f08d-8201-dfcc-1897ad44b77a
OR
grafana
package type: source
tag: rhel-8-including-unpatched:0e04bc73-f78d-8230-a264-85acea86d3a2
OR
polkit
package type: source
tag: rhel-9-including-unpatched:387de2d1-c696-cc66-925c-3d9896624c8e
Data Sources
- RedHat Enterprise Linux CSAF VEX
redhat-vex
