Cipher-Base Improper Input Validation Vulnerability Allowing Input Data Manipulation

A vulnerability in the 'cipher-base' package, affecting versions through 1.0.4, has been identified. This issue arises from improper input validation, which can lead to input data manipulation. The vulnerability is particularly relevant in the context of cryptographic hash functions, where it can cause hash state rewinding and miscalculation of hash values, potentially leading to denial-of-service conditions or integrity issues in applications that rely on accurate hash calculations.

Impact

Exploitation of this vulnerability can cause a critical hash state rewind, allowing an attacker to manipulate tagged hashes in cryptographic libraries, turning them into untagged hashes. This could disrupt cryptographic operations and, in some cases, lead to private key extraction. Additionally, the vulnerability can be exploited to generate hash collisions, cause denial-of-service conditions, and manipulate hash values in ways that could be exploited by other code or libraries.

Reproduction

The vulnerability can be reproduced by using a crafted payload that exploits the lack of input type checks in the 'create-hash' npm package. This can be done by sending a TypedArray or DataView input that is not properly validated, such as a Uint16Array. The 'create-hash' function will then calculate an invalid hash value, rewind the hash state, or cause the application to hang.

Remediation

Users are advised to update to version 1.0.5 or later, where this vulnerability has been patched.