Description
hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4
Patch x_refsource_misc
https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf
Scores
CVSS v3
9.1
EPSS
0.0003
EPSS Percentile
8.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-323
Status
published
Products (2)
dajiaji/hpke-js
< 1.7.5
hpke/core
0 - 1.7.5npm
Published
Nov 21, 2025
Tracked Since
Feb 18, 2026