[Pkg-javascript-devel] Bug#1111769: Bug#1111769: node-sha.js: CVE-2025-9288
Yadd
yadd at debian.org
Thu Aug 21 22:55:47 BST 2025
On 8/21/25 20:56, Salvatore Bonaccorso wrote:
> Source: node-sha.js
> Version: 2.4.11+~2.4.0-2
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/browserify/sha.js/pull/78
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-sha.js.
>
> CVE-2025-9288[0]:
> | Improper Input Validation vulnerability in sha.js allows Input Data
> | Manipulation.This issue affects sha.js: through 2.4.11.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-9288
> https://www.cve.org/CVERecord?id=CVE-2025-9288
> [1] https://github.com/browserify/sha.js/pull/78
> [2] https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5
> [3] https://github.com/browserify/sha.js/commit/f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5
>
> Regards,
> Salvatore
Hi,
the fix requires a new module node-to-buffer:
$ pkgjs-depends sha.js
# sha.js at 2.4.12 (node-sha.js)
# 5 missing npm module(s)
DEPENDENCIES:
node-deep-equal (get-intrinsic, is-typed-array)
node-function-bind (function-bind)
node-inherits (inherits)
node-isarray (isarray)
node-safe-buffer (safe-buffer)
MISSING:
sha.js at 2.4.12
└── to-buffer (1.2.1)
└── typed-array-buffer (1.0.3)
└── call-bound (1.0.4)
└── call-bind-apply-helpers (1.0.2)
└── es-errors (1.3.0)
└── (^) es-errors (1.3.0)
i can push this new module (with its deps as uscan-components) in new
queue. Maybe embed all in node-sha.js package for Trixie/Bookworm ?
More information about the Pkg-javascript-devel
mailing list