Common Weakness Enumeration

CWE-323

Allowed

Reusing a Nonce, Key Pair in Encryption

Abstraction: Base · Status: Incomplete

Nonces should be used for the present occasion and only once.

78 vulnerabilities reference this CWE, most recent first.

GHSA-3P8M-MR3F-JQG6

Vulnerability from github – Published: 2026-07-06 21:30 – Updated: 2026-07-06 21:30
VLAI
Details

Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T21:16:53Z",
    "severity": "HIGH"
  },
  "details": "Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.",
  "id": "GHSA-3p8m-mr3f-jqg6",
  "modified": "2026-07-06T21:30:42Z",
  "published": "2026-07-06T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21383"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-47H2-CVF5-94GH

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:43
VLAI
Details

Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-20T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).",
  "id": "GHSA-47h2-cvf5-94gh",
  "modified": "2024-04-04T01:43:41Z",
  "published": "2022-05-24T16:54:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7593"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-227-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-574F-3G2M-X479

Vulnerability from github – Published: 2026-04-17 18:31 – Updated: 2026-06-30 19:45
VLAI
Summary
Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks
Details

The GOST 28147-2015 CTR mode implementation (G3413CTRBlockCipher) in the Legion of the Bouncy Castle BC-JAVA bcprov core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.80.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk15to18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.80.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.80.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "fixed": "1.80.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.80.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk15to18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.80.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.80.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-ext-jdk14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.78.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-ext-jdk15to18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.78.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-ext-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.78.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-ext-debug-jdk14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.74"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-ext-debug-jdk15to18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.77"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-ext-debug-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59"
            },
            {
              "last_affected": "1.77"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk14"
      },
      "versions": [
        "1.81.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk15to18"
      },
      "versions": [
        "1.81.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.81.0"
            },
            {
              "fixed": "1.81.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.81.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk14"
      },
      "versions": [
        "1.81.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk15to18"
      },
      "versions": [
        "1.81.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk18on"
      },
      "versions": [
        "1.81.0"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.83"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82"
            },
            {
              "fixed": "1.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.83"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk15to18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82"
            },
            {
              "fixed": "1.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.83"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82"
            },
            {
              "fixed": "1.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.83"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82"
            },
            {
              "fixed": "1.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.83"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk15to18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82"
            },
            {
              "fixed": "1.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.83"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-debug-jdk18on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82"
            },
            {
              "fixed": "1.84"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-14813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T19:45:20Z",
    "nvd_published_at": "2026-04-15T10:16:38Z",
    "severity": "CRITICAL"
  },
  "details": "The GOST 28147-2015 CTR mode implementation (`G3413CTRBlockCipher`) in the Legion of the Bouncy Castle BC-JAVA `bcprov` core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).",
  "id": "GHSA-574f-3g2m-x479",
  "modified": "2026-06-30T19:45:20Z",
  "published": "2026-04-17T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14813.json"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bcgit/bc-java"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458640"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-14813"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:24977"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21772"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18059"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18055"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18054"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:17668"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:14276"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:14272"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:13631"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:11721"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:11720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks"
}

GHSA-5FH3-V3JW-RC9H

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:46
VLAI
Details

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323",
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-17T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.",
  "id": "GHSA-5fh3-v3jw-rc9h",
  "modified": "2025-04-20T03:46:53Z",
  "published": "2022-05-13T01:42:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13078"
    },
    {
      "type": "WEB",
      "url": "https://www.krackattacks.com"
    },
    {
      "type": "WEB",
      "url": "https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-17420"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03792en_us"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208222"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208221"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208220"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208219"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-11-01"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201711-03"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en-us/advisories/vde-2017-005"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en-us/advisories/vde-2017-003"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/vulnerabilities/kracks"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2911"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2907"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3999"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/228519"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101274"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039573"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039576"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039577"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039578"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039581"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039585"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3455-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FMX-VHP4-M6XV

Vulnerability from github – Published: 2024-12-06 15:31 – Updated: 2024-12-06 15:31
VLAI
Details

The authentication process to the web server uses a challenge response procedure which inludes the nonce and additional information. This challenge can be used several times for login and is therefore vulnerable for a replay attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T13:15:06Z",
    "severity": "MODERATE"
  },
  "details": "The authentication process to the web server uses a challenge response procedure which\ninludes the nonce and additional information. This challenge can be used several times for login and is\ntherefore vulnerable for a replay attack.",
  "id": "GHSA-5fmx-vhp4-m6xv",
  "modified": "2024-12-06T15:31:19Z",
  "published": "2024-12-06T15:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11022"
    },
    {
      "type": "WEB",
      "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6635-2FCV-CRPH

Vulnerability from github – Published: 2025-12-22 12:30 – Updated: 2025-12-22 12:30
VLAI
Details

Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-22T11:15:58Z",
    "severity": "HIGH"
  },
  "details": "Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets.",
  "id": "GHSA-6635-2fcv-crph",
  "modified": "2025-12-22T12:30:21Z",
  "published": "2025-12-22T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61739"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-73G8-5H73-26H4

Vulnerability from github – Published: 2025-11-20 17:36 – Updated: 2025-11-21 22:18
VLAI
Summary
@hpke/core reuses AEAD nonces
Details

Summary

The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.

Details

The SenderContext Seal() implementation allows for concurrent executions to trigger computeNonce() with the same sequence number. This results in the same nonce being used in the suite's AEAD.

PoC

This code reproduces the issue (and also checks for more things that could be wrong with the implementation).

import { CipherSuite, KdfId, AeadId, KemId } from "hpke-js";

const suite = new CipherSuite({
  kem: KemId.DhkemP256HkdfSha256,
  kdf: KdfId.HkdfSha256,
  aead: AeadId.Aes128Gcm,
});

const keypair = await suite.kem.generateKeyPair();
const skR = keypair.privateKey;
const pkR = keypair.publicKey;

const sender = await suite.createSenderContext({
  recipientPublicKey: pkR,
});

const [message0, message1] = await Promise.all([
  sender.seal(
    new TextEncoder().encode("Secret message 1: Attack at dawn").buffer
  ),
  sender.seal(
    new TextEncoder().encode("Secret message 2: Withdraw troops").buffer
  ),
]);

const recipient = await suite.createRecipientContext({
  recipientKey: skR,
  enc: sender.enc,
});

const plaintext0 = await recipient.open(message0);
console.log("✓ Decrypted message seq=0", new TextDecoder().decode(plaintext0));

try {
  console.log(
    "✓ Decrypted message seq=1",
    new TextDecoder().decode(await recipient.open(message1))
  );
  console.log("\n✓ nonce-reuse reproduction completed, code is NOT vulnerable");
} catch (error) {
  // re-sequence the recipient to verify same nonce was used for two messages
  recipient._ctx.seq = 0;
  console.log(
    "❌ Decrypted a different message with seq=0",
    new TextDecoder().decode(await recipient.open(message1))
  );

  console.log(
    "\n✓ nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used"
  );
}

// Test that failed Open() doesn't increment sequence
const recipient2 = await suite.createRecipientContext({
  recipientKey: skR,
  enc: sender.enc,
});

const invalidMessage = new Uint8Array(message0.byteLength);
invalidMessage.set(new Uint8Array(message0));
invalidMessage[0] ^= 0xff; // Corrupt the first byte

try {
  await recipient2.open(invalidMessage.buffer);
} catch {}

// Now try to open the first valid message - should still work with seq=0
try {
  await recipient2.open(message0);
  console.log("✓ Successfully decrypted message with seq=0 after failed open()");
  console.log("✓ Failed open() did NOT increment sequence");
} catch (error) {
  console.log("❌ Failed to decrypt message - sequence was incorrectly incremented");
}

// Test that same message produces same ciphertext due to nonce reuse
const sender2 = await suite.createSenderContext({
  recipientPublicKey: pkR,
});

const sameMessage = new TextEncoder().encode("Identical message").buffer;
const [cipher0, cipher1] = await Promise.all([
  sender2.seal(sameMessage),
  sender2.seal(sameMessage),
]);

const cipher0Array = new Uint8Array(cipher0);
const cipher1Array = new Uint8Array(cipher1);

let identical = true;
if (cipher0Array.length !== cipher1Array.length) {
  identical = false;
} else {
  for (let i = 0; i < cipher0Array.length; i++) {
    if (cipher0Array[i] !== cipher1Array[i]) {
      identical = false;
      break;
    }
  }
}

if (identical) {
  console.log("\n❌ Same message produced IDENTICAL ciphertext (nonce reuse confirmed)");
} else {
  console.log("\n✓ Same message produced different ciphertext (nonces are unique)");
}

Recommendation

Implement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.

Notes

Refs: https://github.com/hpkewg/hpke/issues/38

https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5 The AEADs specified in this document are not secure in case of nonce reuse.

https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6 A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.

The context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@hpke/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-20T17:36:13Z",
    "nvd_published_at": "2025-11-21T19:16:03Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.\n\n### Details\n\nThe SenderContext Seal() [implementation](https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34) allows for concurrent executions to trigger `computeNonce()` with the same sequence number. This results in the same nonce being used in the suite\u0027s AEAD.\n\n### PoC\n\nThis code reproduces the issue (and also checks for more things that could be wrong with the implementation).\n\n```js\nimport { CipherSuite, KdfId, AeadId, KemId } from \"hpke-js\";\n\nconst suite = new CipherSuite({\n  kem: KemId.DhkemP256HkdfSha256,\n  kdf: KdfId.HkdfSha256,\n  aead: AeadId.Aes128Gcm,\n});\n\nconst keypair = await suite.kem.generateKeyPair();\nconst skR = keypair.privateKey;\nconst pkR = keypair.publicKey;\n\nconst sender = await suite.createSenderContext({\n  recipientPublicKey: pkR,\n});\n\nconst [message0, message1] = await Promise.all([\n  sender.seal(\n    new TextEncoder().encode(\"Secret message 1: Attack at dawn\").buffer\n  ),\n  sender.seal(\n    new TextEncoder().encode(\"Secret message 2: Withdraw troops\").buffer\n  ),\n]);\n\nconst recipient = await suite.createRecipientContext({\n  recipientKey: skR,\n  enc: sender.enc,\n});\n\nconst plaintext0 = await recipient.open(message0);\nconsole.log(\"\u2713 Decrypted message seq=0\", new TextDecoder().decode(plaintext0));\n\ntry {\n  console.log(\n    \"\u2713 Decrypted message seq=1\",\n    new TextDecoder().decode(await recipient.open(message1))\n  );\n  console.log(\"\\n\u2713 nonce-reuse reproduction completed, code is NOT vulnerable\");\n} catch (error) {\n  // re-sequence the recipient to verify same nonce was used for two messages\n  recipient._ctx.seq = 0;\n  console.log(\n    \"\u274c Decrypted a different message with seq=0\",\n    new TextDecoder().decode(await recipient.open(message1))\n  );\n\n  console.log(\n    \"\\n\u2713 nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used\"\n  );\n}\n\n// Test that failed Open() doesn\u0027t increment sequence\nconst recipient2 = await suite.createRecipientContext({\n  recipientKey: skR,\n  enc: sender.enc,\n});\n\nconst invalidMessage = new Uint8Array(message0.byteLength);\ninvalidMessage.set(new Uint8Array(message0));\ninvalidMessage[0] ^= 0xff; // Corrupt the first byte\n\ntry {\n  await recipient2.open(invalidMessage.buffer);\n} catch {}\n\n// Now try to open the first valid message - should still work with seq=0\ntry {\n  await recipient2.open(message0);\n  console.log(\"\u2713 Successfully decrypted message with seq=0 after failed open()\");\n  console.log(\"\u2713 Failed open() did NOT increment sequence\");\n} catch (error) {\n  console.log(\"\u274c Failed to decrypt message - sequence was incorrectly incremented\");\n}\n\n// Test that same message produces same ciphertext due to nonce reuse\nconst sender2 = await suite.createSenderContext({\n  recipientPublicKey: pkR,\n});\n\nconst sameMessage = new TextEncoder().encode(\"Identical message\").buffer;\nconst [cipher0, cipher1] = await Promise.all([\n  sender2.seal(sameMessage),\n  sender2.seal(sameMessage),\n]);\n\nconst cipher0Array = new Uint8Array(cipher0);\nconst cipher1Array = new Uint8Array(cipher1);\n\nlet identical = true;\nif (cipher0Array.length !== cipher1Array.length) {\n  identical = false;\n} else {\n  for (let i = 0; i \u003c cipher0Array.length; i++) {\n    if (cipher0Array[i] !== cipher1Array[i]) {\n      identical = false;\n      break;\n    }\n  }\n}\n\nif (identical) {\n  console.log(\"\\n\u274c Same message produced IDENTICAL ciphertext (nonce reuse confirmed)\");\n} else {\n  console.log(\"\\n\u2713 Same message produced different ciphertext (nonces are unique)\");\n}\n```\n\n### Recommendation\n\nImplement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.\n\n### Notes\n\nRefs: https://github.com/hpkewg/hpke/issues/38\n\n\u003e https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5\n\u003e The AEADs specified in this document are not secure in case of nonce reuse.\n\n\u003e https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6\n\u003e A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.\n\nThe context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.",
  "id": "GHSA-73g8-5h73-26h4",
  "modified": "2025-11-21T22:18:25Z",
  "published": "2025-11-20T17:36:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dajiaji/hpke-js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@hpke/core reuses AEAD nonces"
}

GHSA-7HFH-VFCV-WFQP

Vulnerability from github – Published: 2024-04-04 18:30 – Updated: 2025-04-10 21:30
VLAI
Details

There is a difficult to exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 10.8.1 through 11.2 on Windows and Linux, and ArcGIS Enterprise 11.1 and below on Kubernetes which, under unique circumstances, could potentially allow a remote, unauthenticated attacker to compromise the confidentiality, integrity, and availability of the software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-323"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T18:15:11Z",
    "severity": "HIGH"
  },
  "details": "There is a difficult to exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 10.8.1 through 11.2 on Windows and Linux, and ArcGIS Enterprise 11.1 and below on Kubernetes which, under unique circumstances, could potentially allow a remote, unauthenticated attacker to compromise the confidentiality, integrity, and availability of the software.",
  "id": "GHSA-7hfh-vfcv-wfqp",
  "modified": "2025-04-10T21:30:46Z",
  "published": "2024-04-04T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25699"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-88G7-87JG-W4Q9

Vulnerability from github – Published: 2026-06-16 00:34 – Updated: 2026-06-16 18:32
VLAI
Details

Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.

Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.

The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical "r".

Keys used to sign more than once with an affected version should be considered compromised.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T23:16:43Z",
    "severity": "CRITICAL"
  },
  "details": "Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.\n\nCrypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.\n\nThe first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical \"r\".\n\nKeys used to sign more than once with an affected version should be considered compromised.",
  "id": "GHSA-88g7-87jg-w4q9",
  "modified": "2026-06-16T18:32:34Z",
  "published": "2026-06-16T00:34:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12205"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/source/lib/Crypt/DSA.pm#L47"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/15/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9PWC-V5P9-3C37

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:46
VLAI
Details

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323",
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-17T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.",
  "id": "GHSA-9pwc-v5p9-3c37",
  "modified": "2025-04-20T03:46:55Z",
  "published": "2022-05-13T01:43:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13086"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2907"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/vulnerabilities/kracks"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en-us/advisories/vde-2017-005"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:07.wpa.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201711-03"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-11-01"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-17420"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa"
    },
    {
      "type": "WEB",
      "url": "https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.krackattacks.com"
    },
    {
      "type": "WEB",
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3999"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/228519"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101274"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039573"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039576"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039577"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039578"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039581"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3455-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Refuse to reuse nonce values.

Mitigation
Implementation

Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.

No CAPEC attack patterns related to this CWE.