CVE-2025-9287
9.10.12%
Broken Base: How `cipher-base` Rewound the Crypto Stack
Amit Schendel
Senior Security ResearcherJan 1, 2026·6 min read·35 visits
PoC Available
Executive Summary (TL;DR)
The `cipher-base` package, a dependency of widely used libraries like `crypto-browserify`, failed to correctly handle `TypedArray` inputs. This improper validation allows attackers to pass malicious data structures that "rewind" or corrupt the internal hash state, leading to potential signature forgeries and collision attacks in browser environments.
A critical flaw in the foundational `cipher-base` package allows attackers to manipulate cryptographic states and bypass integrity checks in browser-based applications.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HEPSS Probability
0.12%
Top 100% most exploited
Affected Systems
crypto-browserifycreate-hashcreate-hmacBrowser-based cryptocurrency walletsFrontend JWT verification libraries
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
cipher-base crypto-browserify ecosystem | <= 1.0.4 | 1.0.5 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-20 (Improper Input Validation) |
| CVSS | 9.1 (Critical) |
| Attack Vector | Network / Local (Context Dependent) |
| Impact | Integrity Violation / State Manipulation |
| Root Cause | Type Confusion in Buffer Handling |
| Fix Version | 1.0.5 |
MITRE ATT&CK Mapping
CWE-20
Improper Input Validation
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability identified in input validation logic.
2025-01-10
Patch proposed in Pull Request #23.
2025-01-15
cipher-base v1.0.5 released.
2025-01-20
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.