CVE-2025-64767
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hpke-js | hpke_js | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-323 | Nonces should be used for the present occasion and only once. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in hpke-js prior to version 1.7.5 is a race condition in the public SenderContext Seal() API that causes the same AEAD nonce to be reused for multiple Seal() calls. This nonce reuse can lead to a complete loss of confidentiality and integrity of the encrypted messages.
How can this vulnerability impact me? :
This vulnerability can lead to a complete loss of confidentiality and integrity of messages encrypted using the affected hpke-js module. An attacker could exploit the nonce reuse to decrypt or tamper with messages, compromising sensitive data and communications.
What immediate steps should I take to mitigate this vulnerability?
Upgrade hpke-js to version 1.7.5 or later, as this version contains the patch that fixes the race condition causing nonce reuse. Avoid using vulnerable versions prior to 1.7.5 to prevent loss of confidentiality and integrity.