CVE-2025-27408

描述

### Summary Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. ### Details Analysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user. ``` const newUser: AuthenticableEntity = entityRepository.create(signupUserDto) newUser.password = SHA3(newUser.password).toString() ``` This approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.  ### PoC 1. Create two users with the same password (it could be admin or any other authenticatable entity) 2. Extract their password hashes from the database 3. Verify that both hashes are identical, confirming the absence of unique salts ### Impact This is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.

如何修補 CVE-2025-27408

要修補 CVE-2025-27408,請將受影響套件升級到下列已修補版本。

• —升級至 4.9.2 或更新版本

CVE-2025-27408 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 4.9.2