GHSA-MMF8-487Q-P45M

Vulnerability from github – Published: 2026-03-11 14:55 – Updated: 2026-03-11 20:43
VLAI
Summary
Striae has a hash validation utility vulnerability
Details

Summary

A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks.

Impact

Confirmation package integrity could be bypassed because both content and hash values were mutable in the same trust boundary. An attacker with access to an exported package could alter confirmation data and recompute hashes so hash-only checks still passed.

This affects users relying on digital confirmations as an immutability and forensic chain-of-custody control.

Patches

Patched in v3.0.0.

Upgrade to: - v3.0.0 or later

Security behavior added in v3.0.0: - Server-issued asymmetric signatures for forensic manifests - Canonical payload signature verification during import and manual hash verification - Fail-closed behavior when signature metadata is missing or invalid - Signature/key provenance support for audit-related workflows

Workarounds

There is no full cryptographic workaround equivalent to upgrading.

Temporary mitigations: - Treat hash-only validation as a tamper indicator, not proof of immutability - Restrict package exchange to trusted authenticated internal channels - Require out-of-band reviewer attestation for sensitive confirmation workflows - Pause imports from untrusted sources until upgraded

Severity
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@striae-org/striae"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.22-0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-353",
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T14:55:49Z",
    "nvd_published_at": "2026-03-11T17:16:58Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA high-severity integrity bypass vulnerability existed in Striae\u0027s digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks.\n\n## Impact\n\nConfirmation package integrity could be bypassed because both content and hash values were mutable in the same trust boundary. An attacker with access to an exported package could alter confirmation data and recompute hashes so hash-only checks still passed.\n\nThis affects users relying on digital confirmations as an immutability and forensic chain-of-custody control.\n\n## Patches\n\nPatched in **v3.0.0**.\n\nUpgrade to:\n- `v3.0.0` or later\n\nSecurity behavior added in v3.0.0:\n- Server-issued asymmetric signatures for forensic manifests\n- Canonical payload signature verification during import and manual hash verification\n- Fail-closed behavior when signature metadata is missing or invalid\n- Signature/key provenance support for audit-related workflows\n\n## Workarounds\n\nThere is no full cryptographic workaround equivalent to upgrading.\n\nTemporary mitigations:\n- Treat hash-only validation as a tamper indicator, not proof of immutability\n- Restrict package exchange to trusted authenticated internal channels\n- Require out-of-band reviewer attestation for sensitive confirmation workflows\n- Pause imports from untrusted sources until upgraded",
  "id": "GHSA-mmf8-487q-p45m",
  "modified": "2026-03-11T20:43:41Z",
  "published": "2026-03-11T14:55:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31839"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/striae-org/striae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/striae-org/striae/releases/tag/v3.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Striae has a hash validation utility vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.