GHSA-H8H6-7752-G28C

Vulnerability from github – Published: 2025-03-03 19:55 – Updated: 2025-03-04 22:23
VLAI?
Summary
Manifest Uses a One-Way Hash without a Salt
Details

Summary

Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.

Details

Analysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user.

const newUser: AuthenticableEntity = entityRepository.create(signupUserDto)
newUser.password = SHA3(newUser.password).toString()

This approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.

password without salt

PoC

  1. Create two users with the same password (it could be admin or any other authenticatable entity)
  2. Extract their password hashes from the database
  3. Verify that both hashes are identical, confirming the absence of unique salts

Impact

This is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.

Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "manifest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-759"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T19:55:33Z",
    "nvd_published_at": "2025-02-28T18:15:28Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nManifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.\n\n### Details\nAnalysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user.\n```\nconst newUser: AuthenticableEntity = entityRepository.create(signupUserDto)\nnewUser.password = SHA3(newUser.password).toString()\n```\nThis approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.\n\n![password without salt](https://github.com/user-attachments/assets/8ce816ab-0351-44d4-9aa3-717266441d6e)\n\n\n### PoC\n1. Create two users with the same password (it could be admin or any other authenticatable entity)\n2. Extract their password hashes from the database\n3. Verify that both hashes are identical, confirming the absence of unique salts\n\n### Impact\nThis is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.",
  "id": "GHSA-h8h6-7752-g28c",
  "modified": "2025-03-04T22:23:26Z",
  "published": "2025-03-03T19:55:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27408"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mnfst/manifest"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Manifest Uses a One-Way Hash without a Salt"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.