CVE-2025-27408 (GCVE-0-2025-27408)
Vulnerability from cvelistv5 – Published: 2025-02-28 17:26 – Updated: 2025-03-04 22:23
VLAI?
Title
Manifest Uses a One-Way Hash without a Salt
Summary
Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-759 - Use of a One-Way Hash without a Salt
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27408",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-28T18:10:40.836169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T18:11:49.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "manifest",
"vendor": "mnfst",
"versions": [
{
"status": "affected",
"version": "\u003c 4.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-759",
"description": "CWE-759: Use of a One-Way Hash without a Salt",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T22:23:15.608Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"
},
{
"name": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"
}
],
"source": {
"advisory": "GHSA-h8h6-7752-g28c",
"discovery": "UNKNOWN"
},
"title": "Manifest Uses a One-Way Hash without a Salt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27408",
"datePublished": "2025-02-28T17:26:15.196Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-04T22:23:15.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27408\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-28T18:15:28.983\",\"lastModified\":\"2025-03-04T23:15:10.897\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Manifest ofrece a los usuarios un micro back end de un solo archivo. Antes de la versi\u00f3n 4.9.1, Manifest empleaba una implementaci\u00f3n de hash de contrase\u00f1as d\u00e9bil que utiliza SHA3 sin sal. Esto expone las contrase\u00f1as de los usuarios a un mayor riesgo de ser descifradas si un atacante obtiene acceso a la base de datos. Sin el uso de una sal, las contrase\u00f1as id\u00e9nticas de varios usuarios dar\u00e1n como resultado el mismo hash, lo que facilita que los atacantes identifiquen y exploten patrones, acelerando as\u00ed el proceso de descifrado. La versi\u00f3n 4.9.1 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-759\"}]}],\"references\":[{\"url\":\"https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27408\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-28T18:10:40.836169Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-28T18:11:16.010Z\"}}], \"cna\": {\"title\": \"Manifest Uses a One-Way Hash without a Salt\", \"source\": {\"advisory\": \"GHSA-h8h6-7752-g28c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"mnfst\", \"product\": \"manifest\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.9.2\"}]}], \"references\": [{\"url\": \"https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c\", \"name\": \"https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69\", \"name\": \"https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-759\", \"description\": \"CWE-759: Use of a One-Way Hash without a Salt\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-04T22:23:15.608Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27408\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T22:23:15.608Z\", \"dateReserved\": \"2025-02-24T15:51:17.268Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-28T17:26:15.196Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-H8H6-7752-G28C
Vulnerability from github – Published: 2025-03-03 19:55 – Updated: 2025-03-04 22:23
VLAI?
Summary
Manifest Uses a One-Way Hash without a Salt
Details
Summary
Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.
Details
Analysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user.
const newUser: AuthenticableEntity = entityRepository.create(signupUserDto)
newUser.password = SHA3(newUser.password).toString()
This approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.
PoC
- Create two users with the same password (it could be admin or any other authenticatable entity)
- Extract their password hashes from the database
- Verify that both hashes are identical, confirming the absence of unique salts
Impact
This is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.
Severity ?
4.8 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "manifest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27408"
],
"database_specific": {
"cwe_ids": [
"CWE-759"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T19:55:33Z",
"nvd_published_at": "2025-02-28T18:15:28Z",
"severity": "MODERATE"
},
"details": "### Summary\nManifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.\n\n### Details\nAnalysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user.\n```\nconst newUser: AuthenticableEntity = entityRepository.create(signupUserDto)\nnewUser.password = SHA3(newUser.password).toString()\n```\nThis approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.\n\n\n\n\n### PoC\n1. Create two users with the same password (it could be admin or any other authenticatable entity)\n2. Extract their password hashes from the database\n3. Verify that both hashes are identical, confirming the absence of unique salts\n\n### Impact\nThis is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.",
"id": "GHSA-h8h6-7752-g28c",
"modified": "2025-03-04T22:23:26Z",
"published": "2025-03-03T19:55:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27408"
},
{
"type": "WEB",
"url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"
},
{
"type": "PACKAGE",
"url": "https://github.com/mnfst/manifest"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Manifest Uses a One-Way Hash without a Salt"
}
FKIE_CVE-2025-27408
Vulnerability from fkie_nvd - Published: 2025-02-28 18:15 - Updated: 2025-03-04 23:15
Severity ?
Summary
Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Version 4.9.2 fixes the issue."
},
{
"lang": "es",
"value": "Manifest ofrece a los usuarios un micro back end de un solo archivo. Antes de la versi\u00f3n 4.9.1, Manifest empleaba una implementaci\u00f3n de hash de contrase\u00f1as d\u00e9bil que utiliza SHA3 sin sal. Esto expone las contrase\u00f1as de los usuarios a un mayor riesgo de ser descifradas si un atacante obtiene acceso a la base de datos. Sin el uso de una sal, las contrase\u00f1as id\u00e9nticas de varios usuarios dar\u00e1n como resultado el mismo hash, lo que facilita que los atacantes identifiquen y exploten patrones, acelerando as\u00ed el proceso de descifrado. La versi\u00f3n 4.9.1 soluciona el problema."
}
],
"id": "CVE-2025-27408",
"lastModified": "2025-03-04T23:15:10.897",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-28T18:15:28.983",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-759"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…