From 583cfc4cbb5c6e8747f252dca964d6b0b7075e9a Mon Sep 17 00:00:00 2001 From: Naq302 Date: Fri, 5 Sep 2025 15:07:09 +0930 Subject: [PATCH 1/4] fix: update sha.js to 2.4.12 to fix critical hash vulnerability (CVE-2025-9288) - Add yarn resolution for sha.js@^2.4.12 to address hash state rewind vulnerability - Fixes critical security issue where hash state could be manipulated via crafted input - All crypto operations validated - builds and tests passing - Affects all blockchain operations (Bitcoin, Ethereum, etc.) --- package.json | 3 ++- yarn.lock | 28 ++++++++++++++++++++-------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index e0cc93206..a120e113b 100644 --- a/package.json +++ b/package.json @@ -43,7 +43,8 @@ "word-wrap": "1.2.4", "undici": "5.29.0", "form-data": "4.0.4", - "elliptic": "^6.6.1" + "elliptic": "^6.6.1", + "sha.js": "^2.4.12" }, "devDependencies": { "@actions/core": "1.10.0", diff --git a/yarn.lock b/yarn.lock index 0d8f27a93..e498f9f08 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11472,7 +11472,7 @@ __metadata: languageName: node linkType: hard -"safe-buffer@npm:^5.0.1, safe-buffer@npm:^5.1.0, safe-buffer@npm:^5.1.1, safe-buffer@npm:^5.1.2, safe-buffer@npm:^5.2.0, safe-buffer@npm:~5.2.0": +"safe-buffer@npm:^5.0.1, safe-buffer@npm:^5.1.0, safe-buffer@npm:^5.1.1, safe-buffer@npm:^5.1.2, safe-buffer@npm:^5.2.0, safe-buffer@npm:^5.2.1, safe-buffer@npm:~5.2.0": version: 5.2.1 resolution: "safe-buffer@npm:5.2.1" checksum: 10c0/6501914237c0a86e9675d4e51d89ca3c21ffd6a31642efeba25ad65720bce6921c9e7e974e5be91a786b25aa058b5303285d3c15dbabf983a919f5f630d349f3 @@ -11610,15 +11610,16 @@ __metadata: languageName: node linkType: hard -"sha.js@npm:2, sha.js@npm:^2.4.0, sha.js@npm:^2.4.8": - version: 2.4.11 - resolution: "sha.js@npm:2.4.11" +"sha.js@npm:^2.4.12": + version: 2.4.12 + resolution: "sha.js@npm:2.4.12" dependencies: - inherits: "npm:^2.0.1" - safe-buffer: "npm:^5.0.1" + inherits: "npm:^2.0.4" + safe-buffer: "npm:^5.2.1" + to-buffer: "npm:^1.2.0" bin: - sha.js: ./bin.js - checksum: 10c0/b7a371bca8821c9cc98a0aeff67444a03d48d745cb103f17228b96793f455f0eb0a691941b89ea1e60f6359207e36081d9be193252b0f128e0daf9cfea2815a5 + sha.js: bin.js + checksum: 10c0/9d36bdd76202c8116abbe152a00055ccd8a0099cb28fc17c01fa7bb2c8cffb9ca60e2ab0fe5f274ed6c45dc2633d8c39cf7ab050306c231904512ba9da4d8ab1 languageName: node linkType: hard @@ -12293,6 +12294,17 @@ __metadata: languageName: node linkType: hard +"to-buffer@npm:^1.2.0": + version: 1.2.1 + resolution: "to-buffer@npm:1.2.1" + dependencies: + isarray: "npm:^2.0.5" + safe-buffer: "npm:^5.2.1" + typed-array-buffer: "npm:^1.0.3" + checksum: 10c0/bbf07a2a7d6ff9e3ffe503c689176c7149cf3ec25887ce7c4aa5c4841a8845cc71121cd7b4a4769957f823b3f31dbf6b1be6e0a5955798ad864bf2245ee8b5e4 + languageName: node + linkType: hard + "to-regex-range@npm:^5.0.1": version: 5.0.1 resolution: "to-regex-range@npm:5.0.1" From 932bc4efc75d5ec62c76a680b84dfa457014c9f3 Mon Sep 17 00:00:00 2001 From: Naq302 Date: Fri, 5 Sep 2025 15:21:37 +0930 Subject: [PATCH 2/4] Also changed to cipher-base@^1.0.5 --- package.json | 3 ++- yarn.lock | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index a120e113b..574cddcd8 100644 --- a/package.json +++ b/package.json @@ -44,7 +44,8 @@ "undici": "5.29.0", "form-data": "4.0.4", "elliptic": "^6.6.1", - "sha.js": "^2.4.12" + "sha.js": "^2.4.12", + "cipher-base": "^1.0.5" }, "devDependencies": { "@actions/core": "1.10.0", diff --git a/yarn.lock b/yarn.lock index e498f9f08..85451d775 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5782,13 +5782,13 @@ __metadata: languageName: node linkType: hard -"cipher-base@npm:^1.0.1, cipher-base@npm:^1.0.3": - version: 1.0.4 - resolution: "cipher-base@npm:1.0.4" +"cipher-base@npm:^1.0.5": + version: 1.0.6 + resolution: "cipher-base@npm:1.0.6" dependencies: - inherits: "npm:^2.0.1" - safe-buffer: "npm:^5.0.1" - checksum: 10c0/d8d005f8b64d8a77b3d3ce531301ae7b45902c9cab4ec8b66bdbd2bf2a1d9fceb9a2133c293eb3c060b2d964da0f14c47fb740366081338aa3795dd1faa8984b + inherits: "npm:^2.0.4" + safe-buffer: "npm:^5.2.1" + checksum: 10c0/f73268e0ee6585800875d9748f2a2377ae7c2c3375cba346f75598ac6f6bc3a25dec56e984a168ced1a862529ffffe615363f750c40349039d96bd30fba0fca8 languageName: node linkType: hard From cd3fa946d4c8b51015df50eeab3033b0362e073a Mon Sep 17 00:00:00 2001 From: Naq302 Date: Fri, 5 Sep 2025 15:22:47 +0930 Subject: [PATCH 3/4] Pinned versions --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 574cddcd8..79e2101d9 100644 --- a/package.json +++ b/package.json @@ -44,8 +44,8 @@ "undici": "5.29.0", "form-data": "4.0.4", "elliptic": "^6.6.1", - "sha.js": "^2.4.12", - "cipher-base": "^1.0.5" + "sha.js": "2.4.12", + "cipher-base": "1.0.5" }, "devDependencies": { "@actions/core": "1.10.0", From 9eef0d4e7e7741bbaaf3360e5e99c2850cf20221 Mon Sep 17 00:00:00 2001 From: Naq302 Date: Fri, 5 Sep 2025 15:25:15 +0930 Subject: [PATCH 4/4] Pinned versions --- package.json | 2 +- yarn.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 79e2101d9..acf165df6 100644 --- a/package.json +++ b/package.json @@ -45,7 +45,7 @@ "form-data": "4.0.4", "elliptic": "^6.6.1", "sha.js": "2.4.12", - "cipher-base": "1.0.5" + "cipher-base": "1.0.6" }, "devDependencies": { "@actions/core": "1.10.0", diff --git a/yarn.lock b/yarn.lock index 85451d775..bc1e8b297 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5782,7 +5782,7 @@ __metadata: languageName: node linkType: hard -"cipher-base@npm:^1.0.5": +"cipher-base@npm:1.0.6": version: 1.0.6 resolution: "cipher-base@npm:1.0.6" dependencies: @@ -11610,7 +11610,7 @@ __metadata: languageName: node linkType: hard -"sha.js@npm:^2.4.12": +"sha.js@npm:2.4.12": version: 2.4.12 resolution: "sha.js@npm:2.4.12" dependencies: