Vulnerability-Lookup

CVE-2025-64767 (GCVE-0-2025-64767)

Vulnerability from cvelistv5 – Published: 2025-11-21 18:47 – Updated: 2025-11-21 19:01

Title

hpke-js reuses AEAD nonces

Summary

hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-323 - Reusing a Nonce, Key Pair in Encryption

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/dajiaji/hpke-js/security/advis…	x_refsource_CONFIRM
https://github.com/dajiaji/hpke-js/commit/94a767c…	x_refsource_MISC
https://github.com/dajiaji/hpke-js/blob/b7fd3592c…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
dajiaji	hpke-js	Affected: < 1.7.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64767",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-21T18:59:55.477261Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-21T19:01:11.833Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hpke-js",
          "vendor": "dajiaji",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.7.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-323",
              "description": "CWE-323: Reusing a Nonce, Key Pair in Encryption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T18:47:19.930Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4"
        },
        {
          "name": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf"
        },
        {
          "name": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34"
        }
      ],
      "source": {
        "advisory": "GHSA-73g8-5h73-26h4",
        "discovery": "UNKNOWN"
      },
      "title": "hpke-js reuses AEAD nonces"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64767",
    "datePublished": "2025-11-21T18:47:19.930Z",
    "dateReserved": "2025-11-10T22:29:34.877Z",
    "dateUpdated": "2025-11-21T19:01:11.833Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-64767",
      "date": "2026-05-31",
      "epss": "0.0003",
      "percentile": "0.09125"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-64767\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-21T19:16:03.497\",\"lastModified\":\"2025-11-25T22:16:42.557\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-323\"}]}],\"references\":[{\"url\":\"https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64767\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-21T18:59:55.477261Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-21T19:01:02.913Z\"}}], \"cna\": {\"title\": \"hpke-js reuses AEAD nonces\", \"source\": {\"advisory\": \"GHSA-73g8-5h73-26h4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dajiaji\", \"product\": \"hpke-js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.7.5\"}]}], \"references\": [{\"url\": \"https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4\", \"name\": \"https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf\", \"name\": \"https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34\", \"name\": \"https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-323\", \"description\": \"CWE-323: Reusing a Nonce, Key Pair in Encryption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-21T18:47:19.930Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64767\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-21T19:01:11.833Z\", \"dateReserved\": \"2025-11-10T22:29:34.877Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-21T18:47:19.930Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-64767

Vulnerability from fkie_nvd - Published: 2025-11-21 19:16 - Updated: 2026-04-15 00:35

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34
	security-advisories@github.com	https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf
	security-advisories@github.com	https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5."
    }
  ],
  "id": "CVE-2025-64767",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-21T19:16:03.497",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-323"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-73G8-5H73-26H4

Vulnerability from github – Published: 2025-11-20 17:36 – Updated: 2025-11-21 22:18

Summary

@hpke/core reuses AEAD nonces

Details

Summary

The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.

Details

The SenderContext Seal() implementation allows for concurrent executions to trigger computeNonce() with the same sequence number. This results in the same nonce being used in the suite's AEAD.

PoC

This code reproduces the issue (and also checks for more things that could be wrong with the implementation).

import { CipherSuite, KdfId, AeadId, KemId } from "hpke-js";

const suite = new CipherSuite({
  kem: KemId.DhkemP256HkdfSha256,
  kdf: KdfId.HkdfSha256,
  aead: AeadId.Aes128Gcm,
});

const keypair = await suite.kem.generateKeyPair();
const skR = keypair.privateKey;
const pkR = keypair.publicKey;

const sender = await suite.createSenderContext({
  recipientPublicKey: pkR,
});

const [message0, message1] = await Promise.all([
  sender.seal(
    new TextEncoder().encode("Secret message 1: Attack at dawn").buffer
  ),
  sender.seal(
    new TextEncoder().encode("Secret message 2: Withdraw troops").buffer
  ),
]);

const recipient = await suite.createRecipientContext({
  recipientKey: skR,
  enc: sender.enc,
});

const plaintext0 = await recipient.open(message0);
console.log("✓ Decrypted message seq=0", new TextDecoder().decode(plaintext0));

try {
  console.log(
    "✓ Decrypted message seq=1",
    new TextDecoder().decode(await recipient.open(message1))
  );
  console.log("\n✓ nonce-reuse reproduction completed, code is NOT vulnerable");
} catch (error) {
  // re-sequence the recipient to verify same nonce was used for two messages
  recipient._ctx.seq = 0;
  console.log(
    "❌ Decrypted a different message with seq=0",
    new TextDecoder().decode(await recipient.open(message1))
  );

  console.log(
    "\n✓ nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used"
  );
}

// Test that failed Open() doesn't increment sequence
const recipient2 = await suite.createRecipientContext({
  recipientKey: skR,
  enc: sender.enc,
});

const invalidMessage = new Uint8Array(message0.byteLength);
invalidMessage.set(new Uint8Array(message0));
invalidMessage[0] ^= 0xff; // Corrupt the first byte

try {
  await recipient2.open(invalidMessage.buffer);
} catch {}

// Now try to open the first valid message - should still work with seq=0
try {
  await recipient2.open(message0);
  console.log("✓ Successfully decrypted message with seq=0 after failed open()");
  console.log("✓ Failed open() did NOT increment sequence");
} catch (error) {
  console.log("❌ Failed to decrypt message - sequence was incorrectly incremented");
}

// Test that same message produces same ciphertext due to nonce reuse
const sender2 = await suite.createSenderContext({
  recipientPublicKey: pkR,
});

const sameMessage = new TextEncoder().encode("Identical message").buffer;
const [cipher0, cipher1] = await Promise.all([
  sender2.seal(sameMessage),
  sender2.seal(sameMessage),
]);

const cipher0Array = new Uint8Array(cipher0);
const cipher1Array = new Uint8Array(cipher1);

let identical = true;
if (cipher0Array.length !== cipher1Array.length) {
  identical = false;
} else {
  for (let i = 0; i < cipher0Array.length; i++) {
    if (cipher0Array[i] !== cipher1Array[i]) {
      identical = false;
      break;
    }
  }
}

if (identical) {
  console.log("\n❌ Same message produced IDENTICAL ciphertext (nonce reuse confirmed)");
} else {
  console.log("\n✓ Same message produced different ciphertext (nonces are unique)");
}

Recommendation

Implement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.

Notes

Refs: https://github.com/hpkewg/hpke/issues/38

https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5 The AEADs specified in this document are not secure in case of nonce reuse.

https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6 A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.

The context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@hpke/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-20T17:36:13Z",
    "nvd_published_at": "2025-11-21T19:16:03Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.\n\n### Details\n\nThe SenderContext Seal() [implementation](https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34) allows for concurrent executions to trigger `computeNonce()` with the same sequence number. This results in the same nonce being used in the suite\u0027s AEAD.\n\n### PoC\n\nThis code reproduces the issue (and also checks for more things that could be wrong with the implementation).\n\n```js\nimport { CipherSuite, KdfId, AeadId, KemId } from \"hpke-js\";\n\nconst suite = new CipherSuite({\n  kem: KemId.DhkemP256HkdfSha256,\n  kdf: KdfId.HkdfSha256,\n  aead: AeadId.Aes128Gcm,\n});\n\nconst keypair = await suite.kem.generateKeyPair();\nconst skR = keypair.privateKey;\nconst pkR = keypair.publicKey;\n\nconst sender = await suite.createSenderContext({\n  recipientPublicKey: pkR,\n});\n\nconst [message0, message1] = await Promise.all([\n  sender.seal(\n    new TextEncoder().encode(\"Secret message 1: Attack at dawn\").buffer\n  ),\n  sender.seal(\n    new TextEncoder().encode(\"Secret message 2: Withdraw troops\").buffer\n  ),\n]);\n\nconst recipient = await suite.createRecipientContext({\n  recipientKey: skR,\n  enc: sender.enc,\n});\n\nconst plaintext0 = await recipient.open(message0);\nconsole.log(\"\u2713 Decrypted message seq=0\", new TextDecoder().decode(plaintext0));\n\ntry {\n  console.log(\n    \"\u2713 Decrypted message seq=1\",\n    new TextDecoder().decode(await recipient.open(message1))\n  );\n  console.log(\"\\n\u2713 nonce-reuse reproduction completed, code is NOT vulnerable\");\n} catch (error) {\n  // re-sequence the recipient to verify same nonce was used for two messages\n  recipient._ctx.seq = 0;\n  console.log(\n    \"\u274c Decrypted a different message with seq=0\",\n    new TextDecoder().decode(await recipient.open(message1))\n  );\n\n  console.log(\n    \"\\n\u2713 nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used\"\n  );\n}\n\n// Test that failed Open() doesn\u0027t increment sequence\nconst recipient2 = await suite.createRecipientContext({\n  recipientKey: skR,\n  enc: sender.enc,\n});\n\nconst invalidMessage = new Uint8Array(message0.byteLength);\ninvalidMessage.set(new Uint8Array(message0));\ninvalidMessage[0] ^= 0xff; // Corrupt the first byte\n\ntry {\n  await recipient2.open(invalidMessage.buffer);\n} catch {}\n\n// Now try to open the first valid message - should still work with seq=0\ntry {\n  await recipient2.open(message0);\n  console.log(\"\u2713 Successfully decrypted message with seq=0 after failed open()\");\n  console.log(\"\u2713 Failed open() did NOT increment sequence\");\n} catch (error) {\n  console.log(\"\u274c Failed to decrypt message - sequence was incorrectly incremented\");\n}\n\n// Test that same message produces same ciphertext due to nonce reuse\nconst sender2 = await suite.createSenderContext({\n  recipientPublicKey: pkR,\n});\n\nconst sameMessage = new TextEncoder().encode(\"Identical message\").buffer;\nconst [cipher0, cipher1] = await Promise.all([\n  sender2.seal(sameMessage),\n  sender2.seal(sameMessage),\n]);\n\nconst cipher0Array = new Uint8Array(cipher0);\nconst cipher1Array = new Uint8Array(cipher1);\n\nlet identical = true;\nif (cipher0Array.length !== cipher1Array.length) {\n  identical = false;\n} else {\n  for (let i = 0; i \u003c cipher0Array.length; i++) {\n    if (cipher0Array[i] !== cipher1Array[i]) {\n      identical = false;\n      break;\n    }\n  }\n}\n\nif (identical) {\n  console.log(\"\\n\u274c Same message produced IDENTICAL ciphertext (nonce reuse confirmed)\");\n} else {\n  console.log(\"\\n\u2713 Same message produced different ciphertext (nonces are unique)\");\n}\n```\n\n### Recommendation\n\nImplement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.\n\n### Notes\n\nRefs: https://github.com/hpkewg/hpke/issues/38\n\n\u003e https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5\n\u003e The AEADs specified in this document are not secure in case of nonce reuse.\n\n\u003e https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6\n\u003e A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.\n\nThe context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.",
  "id": "GHSA-73g8-5h73-26h4",
  "modified": "2025-11-21T22:18:25Z",
  "published": "2025-11-20T17:36:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dajiaji/hpke-js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@hpke/core reuses AEAD nonces"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-64767 (GCVE-0-2025-64767)

FKIE_CVE-2025-64767

GHSA-73G8-5H73-26H4

Summary

Details

PoC

Recommendation

Notes

Tags

Sightings

Nomenclature