ghsa-h8h6-7752-g28c
Vulnerability from github
Published
2025-03-03 19:55
Modified
2025-03-04 22:23
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Manifest Uses a One-Way Hash without a Salt
Details

Summary

Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.

Details

Analysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user. const newUser: AuthenticableEntity = entityRepository.create(signupUserDto) newUser.password = SHA3(newUser.password).toString() This approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.

password without salt

PoC

  1. Create two users with the same password (it could be admin or any other authenticatable entity)
  2. Extract their password hashes from the database
  3. Verify that both hashes are identical, confirming the absence of unique salts

Impact

This is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "manifest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-759"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T19:55:33Z",
    "nvd_published_at": "2025-02-28T18:15:28Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nManifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process.\n\n### Details\nAnalysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user.\n```\nconst newUser: AuthenticableEntity = entityRepository.create(signupUserDto)\nnewUser.password = SHA3(newUser.password).toString()\n```\nThis approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials.\n\n![password without salt](https://github.com/user-attachments/assets/8ce816ab-0351-44d4-9aa3-717266441d6e)\n\n\n### PoC\n1. Create two users with the same password (it could be admin or any other authenticatable entity)\n2. Extract their password hashes from the database\n3. Verify that both hashes are identical, confirming the absence of unique salts\n\n### Impact\nThis is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to reverse the hashes and obtain user passwords, increasing the risk of compromised accounts and further system exploitation.",
  "id": "GHSA-h8h6-7752-g28c",
  "modified": "2025-03-04T22:23:26Z",
  "published": "2025-03-03T19:55:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mnfst/manifest/security/advisories/GHSA-h8h6-7752-g28c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27408"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mnfst/manifest/commit/3ed6f1324e96ad469ad929d470dcd0cc386c6c69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mnfst/manifest"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Manifest Uses a One-Way Hash without a Salt"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.