CWE-323
AllowedReusing a Nonce, Key Pair in Encryption
Abstraction: Base · Status: Incomplete
Nonces should be used for the present occasion and only once.
78 vulnerabilities reference this CWE, most recent first.
GHSA-3P8M-MR3F-JQG6
Vulnerability from github – Published: 2026-07-06 21:30 – Updated: 2026-07-06 21:30Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.
{
"affected": [],
"aliases": [
"CVE-2026-21383"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T21:16:53Z",
"severity": "HIGH"
},
"details": "Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.",
"id": "GHSA-3p8m-mr3f-jqg6",
"modified": "2026-07-06T21:30:42Z",
"published": "2026-07-06T21:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21383"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-47H2-CVF5-94GH
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:43Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
{
"affected": [],
"aliases": [
"CVE-2019-7593"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).",
"id": "GHSA-47h2-cvf5-94gh",
"modified": "2024-04-04T01:43:41Z",
"published": "2022-05-24T16:54:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7593"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-227-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-574F-3G2M-X479
Vulnerability from github – Published: 2026-04-17 18:31 – Updated: 2026-06-30 19:45The GOST 28147-2015 CTR mode implementation (G3413CTRBlockCipher) in the Legion of the Bouncy Castle BC-JAVA bcprov core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.80.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.80.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.80.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"fixed": "1.80.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.80.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.80.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.80.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.78.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.78.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.78.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-debug-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.74"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-debug-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.77"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-ext-debug-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.59"
},
{
"last_affected": "1.77"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk14"
},
"versions": [
"1.81.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15to18"
},
"versions": [
"1.81.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.81.0"
},
{
"fixed": "1.81.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.81.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk14"
},
"versions": [
"1.81.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk15to18"
},
"versions": [
"1.81.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk18on"
},
"versions": [
"1.81.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.83"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.83"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.83"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.83"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk14"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.83"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.83"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcprov-debug-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.82"
},
{
"fixed": "1.84"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14813"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T19:45:20Z",
"nvd_published_at": "2026-04-15T10:16:38Z",
"severity": "CRITICAL"
},
"details": "The GOST 28147-2015 CTR mode implementation (`G3413CTRBlockCipher`) in the Legion of the Bouncy Castle BC-JAVA `bcprov` core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).",
"id": "GHSA-574f-3g2m-x479",
"modified": "2026-06-30T19:45:20Z",
"published": "2026-04-17T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14813"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14813.json"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813"
},
{
"type": "PACKAGE",
"url": "https://github.com/bcgit/bc-java"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458640"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-14813"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24977"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21772"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18059"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18055"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18054"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17668"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14276"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14272"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13631"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11721"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red",
"type": "CVSS_V4"
}
],
"summary": "Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks"
}
GHSA-5FH3-V3JW-RC9H
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:46Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.
{
"affected": [],
"aliases": [
"CVE-2017-13078"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-17T13:29:00Z",
"severity": "MODERATE"
},
"details": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.",
"id": "GHSA-5fh3-v3jw-rc9h",
"modified": "2025-04-20T03:46:53Z",
"published": "2022-05-13T01:42:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13078"
},
{
"type": "WEB",
"url": "https://www.krackattacks.com"
},
{
"type": "WEB",
"url": "https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-17420"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03792en_us"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208222"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208221"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208220"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208219"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-11-01"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201711-03"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00015.html"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2017-005"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2017-003"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/kracks"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2911"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2907"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00023.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00024.html"
},
{
"type": "WEB",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3999"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/228519"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101274"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039573"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039576"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039577"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039578"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039581"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039585"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3455-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FMX-VHP4-M6XV
Vulnerability from github – Published: 2024-12-06 15:31 – Updated: 2024-12-06 15:31The authentication process to the web server uses a challenge response procedure which inludes the nonce and additional information. This challenge can be used several times for login and is therefore vulnerable for a replay attack.
{
"affected": [],
"aliases": [
"CVE-2024-11022"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T13:15:06Z",
"severity": "MODERATE"
},
"details": "The authentication process to the web server uses a challenge response procedure which\ninludes the nonce and additional information. This challenge can be used several times for login and is\ntherefore vulnerable for a replay attack.",
"id": "GHSA-5fmx-vhp4-m6xv",
"modified": "2024-12-06T15:31:19Z",
"published": "2024-12-06T15:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11022"
},
{
"type": "WEB",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6635-2FCV-CRPH
Vulnerability from github – Published: 2025-12-22 12:30 – Updated: 2025-12-22 12:30Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets.
{
"affected": [],
"aliases": [
"CVE-2025-61739"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-22T11:15:58Z",
"severity": "HIGH"
},
"details": "Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets.",
"id": "GHSA-6635-2fcv-crph",
"modified": "2025-12-22T12:30:21Z",
"published": "2025-12-22T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61739"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-73G8-5H73-26H4
Vulnerability from github – Published: 2025-11-20 17:36 – Updated: 2025-11-21 22:18Summary
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Details
The SenderContext Seal() implementation allows for concurrent executions to trigger computeNonce() with the same sequence number. This results in the same nonce being used in the suite's AEAD.
PoC
This code reproduces the issue (and also checks for more things that could be wrong with the implementation).
import { CipherSuite, KdfId, AeadId, KemId } from "hpke-js";
const suite = new CipherSuite({
kem: KemId.DhkemP256HkdfSha256,
kdf: KdfId.HkdfSha256,
aead: AeadId.Aes128Gcm,
});
const keypair = await suite.kem.generateKeyPair();
const skR = keypair.privateKey;
const pkR = keypair.publicKey;
const sender = await suite.createSenderContext({
recipientPublicKey: pkR,
});
const [message0, message1] = await Promise.all([
sender.seal(
new TextEncoder().encode("Secret message 1: Attack at dawn").buffer
),
sender.seal(
new TextEncoder().encode("Secret message 2: Withdraw troops").buffer
),
]);
const recipient = await suite.createRecipientContext({
recipientKey: skR,
enc: sender.enc,
});
const plaintext0 = await recipient.open(message0);
console.log("✓ Decrypted message seq=0", new TextDecoder().decode(plaintext0));
try {
console.log(
"✓ Decrypted message seq=1",
new TextDecoder().decode(await recipient.open(message1))
);
console.log("\n✓ nonce-reuse reproduction completed, code is NOT vulnerable");
} catch (error) {
// re-sequence the recipient to verify same nonce was used for two messages
recipient._ctx.seq = 0;
console.log(
"❌ Decrypted a different message with seq=0",
new TextDecoder().decode(await recipient.open(message1))
);
console.log(
"\n✓ nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used"
);
}
// Test that failed Open() doesn't increment sequence
const recipient2 = await suite.createRecipientContext({
recipientKey: skR,
enc: sender.enc,
});
const invalidMessage = new Uint8Array(message0.byteLength);
invalidMessage.set(new Uint8Array(message0));
invalidMessage[0] ^= 0xff; // Corrupt the first byte
try {
await recipient2.open(invalidMessage.buffer);
} catch {}
// Now try to open the first valid message - should still work with seq=0
try {
await recipient2.open(message0);
console.log("✓ Successfully decrypted message with seq=0 after failed open()");
console.log("✓ Failed open() did NOT increment sequence");
} catch (error) {
console.log("❌ Failed to decrypt message - sequence was incorrectly incremented");
}
// Test that same message produces same ciphertext due to nonce reuse
const sender2 = await suite.createSenderContext({
recipientPublicKey: pkR,
});
const sameMessage = new TextEncoder().encode("Identical message").buffer;
const [cipher0, cipher1] = await Promise.all([
sender2.seal(sameMessage),
sender2.seal(sameMessage),
]);
const cipher0Array = new Uint8Array(cipher0);
const cipher1Array = new Uint8Array(cipher1);
let identical = true;
if (cipher0Array.length !== cipher1Array.length) {
identical = false;
} else {
for (let i = 0; i < cipher0Array.length; i++) {
if (cipher0Array[i] !== cipher1Array[i]) {
identical = false;
break;
}
}
}
if (identical) {
console.log("\n❌ Same message produced IDENTICAL ciphertext (nonce reuse confirmed)");
} else {
console.log("\n✓ Same message produced different ciphertext (nonces are unique)");
}
Recommendation
Implement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.
Notes
Refs: https://github.com/hpkewg/hpke/issues/38
https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5 The AEADs specified in this document are not secure in case of nonce reuse.
https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6 A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.
The context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.4"
},
"package": {
"ecosystem": "npm",
"name": "@hpke/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64767"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-20T17:36:13Z",
"nvd_published_at": "2025-11-21T19:16:03Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.\n\n### Details\n\nThe SenderContext Seal() [implementation](https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34) allows for concurrent executions to trigger `computeNonce()` with the same sequence number. This results in the same nonce being used in the suite\u0027s AEAD.\n\n### PoC\n\nThis code reproduces the issue (and also checks for more things that could be wrong with the implementation).\n\n```js\nimport { CipherSuite, KdfId, AeadId, KemId } from \"hpke-js\";\n\nconst suite = new CipherSuite({\n kem: KemId.DhkemP256HkdfSha256,\n kdf: KdfId.HkdfSha256,\n aead: AeadId.Aes128Gcm,\n});\n\nconst keypair = await suite.kem.generateKeyPair();\nconst skR = keypair.privateKey;\nconst pkR = keypair.publicKey;\n\nconst sender = await suite.createSenderContext({\n recipientPublicKey: pkR,\n});\n\nconst [message0, message1] = await Promise.all([\n sender.seal(\n new TextEncoder().encode(\"Secret message 1: Attack at dawn\").buffer\n ),\n sender.seal(\n new TextEncoder().encode(\"Secret message 2: Withdraw troops\").buffer\n ),\n]);\n\nconst recipient = await suite.createRecipientContext({\n recipientKey: skR,\n enc: sender.enc,\n});\n\nconst plaintext0 = await recipient.open(message0);\nconsole.log(\"\u2713 Decrypted message seq=0\", new TextDecoder().decode(plaintext0));\n\ntry {\n console.log(\n \"\u2713 Decrypted message seq=1\",\n new TextDecoder().decode(await recipient.open(message1))\n );\n console.log(\"\\n\u2713 nonce-reuse reproduction completed, code is NOT vulnerable\");\n} catch (error) {\n // re-sequence the recipient to verify same nonce was used for two messages\n recipient._ctx.seq = 0;\n console.log(\n \"\u274c Decrypted a different message with seq=0\",\n new TextDecoder().decode(await recipient.open(message1))\n );\n\n console.log(\n \"\\n\u2713 nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used\"\n );\n}\n\n// Test that failed Open() doesn\u0027t increment sequence\nconst recipient2 = await suite.createRecipientContext({\n recipientKey: skR,\n enc: sender.enc,\n});\n\nconst invalidMessage = new Uint8Array(message0.byteLength);\ninvalidMessage.set(new Uint8Array(message0));\ninvalidMessage[0] ^= 0xff; // Corrupt the first byte\n\ntry {\n await recipient2.open(invalidMessage.buffer);\n} catch {}\n\n// Now try to open the first valid message - should still work with seq=0\ntry {\n await recipient2.open(message0);\n console.log(\"\u2713 Successfully decrypted message with seq=0 after failed open()\");\n console.log(\"\u2713 Failed open() did NOT increment sequence\");\n} catch (error) {\n console.log(\"\u274c Failed to decrypt message - sequence was incorrectly incremented\");\n}\n\n// Test that same message produces same ciphertext due to nonce reuse\nconst sender2 = await suite.createSenderContext({\n recipientPublicKey: pkR,\n});\n\nconst sameMessage = new TextEncoder().encode(\"Identical message\").buffer;\nconst [cipher0, cipher1] = await Promise.all([\n sender2.seal(sameMessage),\n sender2.seal(sameMessage),\n]);\n\nconst cipher0Array = new Uint8Array(cipher0);\nconst cipher1Array = new Uint8Array(cipher1);\n\nlet identical = true;\nif (cipher0Array.length !== cipher1Array.length) {\n identical = false;\n} else {\n for (let i = 0; i \u003c cipher0Array.length; i++) {\n if (cipher0Array[i] !== cipher1Array[i]) {\n identical = false;\n break;\n }\n }\n}\n\nif (identical) {\n console.log(\"\\n\u274c Same message produced IDENTICAL ciphertext (nonce reuse confirmed)\");\n} else {\n console.log(\"\\n\u2713 Same message produced different ciphertext (nonces are unique)\");\n}\n```\n\n### Recommendation\n\nImplement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.\n\n### Notes\n\nRefs: https://github.com/hpkewg/hpke/issues/38\n\n\u003e https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5\n\u003e The AEADs specified in this document are not secure in case of nonce reuse.\n\n\u003e https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6\n\u003e A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.\n\nThe context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.",
"id": "GHSA-73g8-5h73-26h4",
"modified": "2025-11-21T22:18:25Z",
"published": "2025-11-20T17:36:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64767"
},
{
"type": "WEB",
"url": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf"
},
{
"type": "PACKAGE",
"url": "https://github.com/dajiaji/hpke-js"
},
{
"type": "WEB",
"url": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "@hpke/core reuses AEAD nonces"
}
GHSA-7HFH-VFCV-WFQP
Vulnerability from github – Published: 2024-04-04 18:30 – Updated: 2025-04-10 21:30There is a difficult to exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 10.8.1 through 11.2 on Windows and Linux, and ArcGIS Enterprise 11.1 and below on Kubernetes which, under unique circumstances, could potentially allow a remote, unauthenticated attacker to compromise the confidentiality, integrity, and availability of the software.
{
"affected": [],
"aliases": [
"CVE-2024-25699"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T18:15:11Z",
"severity": "HIGH"
},
"details": "There is a difficult to exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 10.8.1 through 11.2 on Windows and Linux, and ArcGIS Enterprise 11.1 and below on Kubernetes which, under unique circumstances, could potentially allow a remote, unauthenticated attacker to compromise the confidentiality, integrity, and availability of the software.",
"id": "GHSA-7hfh-vfcv-wfqp",
"modified": "2025-04-10T21:30:46Z",
"published": "2024-04-04T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25699"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-88G7-87JG-W4Q9
Vulnerability from github – Published: 2026-06-16 00:34 – Updated: 2026-06-16 18:32Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.
Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.
The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical "r".
Keys used to sign more than once with an affected version should be considered compromised.
{
"affected": [],
"aliases": [
"CVE-2026-12205"
],
"database_specific": {
"cwe_ids": [
"CWE-323"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T23:16:43Z",
"severity": "CRITICAL"
},
"details": "Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.\n\nCrypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.\n\nThe first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical \"r\".\n\nKeys used to sign more than once with an affected version should be considered compromised.",
"id": "GHSA-88g7-87jg-w4q9",
"modified": "2026-06-16T18:32:34Z",
"published": "2026-06-16T00:34:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12205"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/source/lib/Crypt/DSA.pm#L47"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/15/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9PWC-V5P9-3C37
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:46Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
{
"affected": [],
"aliases": [
"CVE-2017-13086"
],
"database_specific": {
"cwe_ids": [
"CWE-323",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-17T13:29:00Z",
"severity": "MODERATE"
},
"details": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.",
"id": "GHSA-9pwc-v5p9-3c37",
"modified": "2025-04-20T03:46:55Z",
"published": "2022-05-13T01:43:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2907"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/kracks"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2017-005"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201711-03"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-11-01"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-17420"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa"
},
{
"type": "WEB",
"url": "https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt"
},
{
"type": "WEB",
"url": "https://www.krackattacks.com"
},
{
"type": "WEB",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3999"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/228519"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101274"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039573"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039576"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039577"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039578"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039581"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3455-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Refuse to reuse nonce values.
Mitigation
Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.
No CAPEC attack patterns related to this CWE.