EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
@hpke/coreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Details
The SenderContext Seal() implementation allows for concurrent executions to trigger computeNonce() with the same sequence number. This results in the same nonce being used in the suite's AEAD.
PoC
This code reproduces the issue (and also checks for more things that could be wrong with the implementation).
import { CipherSuite, KdfId, AeadId, KemId } from "hpke-js";
const suite = new CipherSuite({
kem: KemId.DhkemP256HkdfSha256,
kdf: KdfId.HkdfSha256,
aead: AeadId.Aes128Gcm,
});
const keypair = await suite.kem.generateKeyPair();
const skR = keypair.privateKey;
const pkR = keypair.publicKey;
const sender = await suite.createSenderContext({
recipientPublicKey: pkR,
});
const [message0, message1] = await Promise.all([
sender.seal(
new TextEncoder().encode("Secret message 1: Attack at dawn").buffer
),
sender.seal(
new TextEncoder().encode("Secret message 2: Withdraw troops").buffer
),
]);
const recipient = await suite.createRecipientContext({
recipientKey: skR,
enc: sender.enc,
});
const plaintext0 = await recipient.open(message0);
console.log("✓ Decrypted message seq=0", new TextDecoder().decode(plaintext0));
try {
console.log(
"✓ Decrypted message seq=1",
new TextDecoder().decode(await recipient.open(message1))
);
console.log("\n✓ nonce-reuse reproduction completed, code is NOT vulnerable");
} catch (error) {
// re-sequence the recipient to verify same nonce was used for two messages
recipient._ctx.seq = 0;
console.log(
"❌ Decrypted a different message with seq=0",
new TextDecoder().decode(await recipient.open(message1))
);
console.log(
"\n✓ nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used"
);
}
// Test that failed Open() doesn't increment sequence
const recipient2 = await suite.createRecipientContext({
recipientKey: skR,
enc: sender.enc,
});
const invalidMessage = new Uint8Array(message0.byteLength);
invalidMessage.set(new Uint8Array(message0));
invalidMessage[0] ^= 0xff; // Corrupt the first byte
try {
await recipient2.open(invalidMessage.buffer);
} catch {}
// Now try to open the first valid message - should still work with seq=0
try {
await recipient2.open(message0);
console.log("✓ Successfully decrypted message with seq=0 after failed open()");
console.log("✓ Failed open() did NOT increment sequence");
} catch (error) {
console.log("❌ Failed to decrypt message - sequence was incorrectly incremented");
}
// Test that same message produces same ciphertext due to nonce reuse
const sender2 = await suite.createSenderContext({
recipientPublicKey: pkR,
});
const sameMessage = new TextEncoder().encode("Identical message").buffer;
const [cipher0, cipher1] = await Promise.all([
sender2.seal(sameMessage),
sender2.seal(sameMessage),
]);
const cipher0Array = new Uint8Array(cipher0);
const cipher1Array = new Uint8Array(cipher1);
let identical = true;
if (cipher0Array.length !== cipher1Array.length) {
identical = false;
} else {
for (let i = 0; i < cipher0Array.length; i++) {
if (cipher0Array[i] !== cipher1Array[i]) {
identical = false;
break;
}
}
}
if (identical) {
console.log("\n❌ Same message produced IDENTICAL ciphertext (nonce reuse confirmed)");
} else {
console.log("\n✓ Same message produced different ciphertext (nonces are unique)");
}
Recommendation
Implement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.
Notes
Refs: https://github.com/hpkewg/hpke/issues/38
https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5 The AEADs specified in this document are not secure in case of nonce reuse.
https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6 A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.
The context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @hpke/core | all versions | 1.7.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @hpke/core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @hpke/core to 1.7.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-73g8-5h73-26h4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-73g8-5h73-26h4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-73g8-5h73-26h4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-73g8-5h73-26h4 in your dependencies?
O3 detects GHSA-73g8-5h73-26h4 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.