CVE-2025-9287

9.10.12%

Broken Base: How `cipher-base` Rewound the Crypto Stack

Amit Schendel

Senior Security Researcher

Jan 1, 2026·6 min read·43 visits

PoC Available

Executive Summary (TL;DR)

The `cipher-base` package, a dependency of widely used libraries like `crypto-browserify`, failed to correctly handle `TypedArray` inputs. This improper validation allows attackers to pass malicious data structures that "rewind" or corrupt the internal hash state, leading to potential signature forgeries and collision attacks in browser environments.

A critical flaw in the foundational `cipher-base` package allows attackers to manipulate cryptographic states and bypass integrity checks in browser-based applications.

Official Patches

NPMPatched version 1.0.5 release on NPM

Fix Analysis (1)

Technical Appendix

CVSS Score

9.1/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Probability

0.12%

Top 100% most exploited

Affected Systems

crypto-browserifycreate-hashcreate-hmacBrowser-based cryptocurrency walletsFrontend JWT verification libraries

Affected Versions Detail

Product	Affected Versions	Fixed Version
cipher-base crypto-browserify ecosystem	<= 1.0.4	1.0.5

Attribute	Detail
CWE ID	CWE-20 (Improper Input Validation)
CVSS	9.1 (Critical)
Attack Vector	Network / Local (Context Dependent)
Impact	Integrity Violation / State Manipulation
Root Cause	Type Confusion in Buffer Handling
Fix Version	1.0.5

MITRE ATT&CK Mapping

T1565.002Data Manipulation: Transmitted Data Manipulation

Impact

T1203Exploitation for Client Execution

Execution

CWE-20

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Known Exploits & Detection

GitHubDiscussion regarding TypedArray handling issues leading to state corruption.

Vulnerability Timeline

Vulnerability identified in input validation logic.

2025-01-10

Patch proposed in Pull Request #23.

2025-01-15

cipher-base v1.0.5 released.

2025-01-20