CWE-1007
Insufficient Visual Distinction of Homoglyphs Presented to User
The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.
CVE-2025-27611 (GCVE-0-2025-27611)
Vulnerability from cvelistv5
Published
2025-04-30 19:36
Modified
2025-05-01 18:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User
Summary
base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cryptocoinjs | base-x |
Version: = 5.0.0 Version: = 4.0.0 Version: < 3.0.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T18:49:09.602435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T18:49:22.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "base-x",
"vendor": "cryptocoinjs",
"versions": [
{
"status": "affected",
"version": "= 5.0.0"
},
{
"status": "affected",
"version": "= 4.0.0"
},
{
"status": "affected",
"version": "\u003c 3.0.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1007",
"description": "CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T19:36:57.356Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cryptocoinjs/base-x/security/advisories/GHSA-xq7p-g2vc-g82p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cryptocoinjs/base-x/security/advisories/GHSA-xq7p-g2vc-g82p"
},
{
"name": "https://github.com/cryptocoinjs/base-x/pull/86",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cryptocoinjs/base-x/pull/86"
}
],
"source": {
"advisory": "GHSA-xq7p-g2vc-g82p",
"discovery": "UNKNOWN"
},
"title": "base-x homograph attack allows Unicode lookalike characters to bypass validation."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27611",
"datePublished": "2025-04-30T19:36:57.356Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-05-01T18:49:22.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs.
- Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages.
Mitigation
Phase: Implementation
Description:
- Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox.
- Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder.
CAPEC-632: Homograph Attack via Homoglyphs
An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.