|
| 1 | +--- |
| 2 | +gem: altcha |
| 3 | +cve: 2025-68113 |
| 4 | +ghsa: 6gvq-jcmp-8959 |
| 5 | +url: https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959 |
| 6 | +title: ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay |
| 7 | +date: 2025-12-16 |
| 8 | +description: | |
| 9 | + ### Impact |
| 10 | +
|
| 11 | + A cryptographic semantic binding flaw in ALTCHA libraries allows |
| 12 | + challenge payload splicing, which may enable replay attacks. The |
| 13 | + HMAC signature does not unambiguously bind challenge parameters to |
| 14 | + the nonce, allowing an attacker to reinterpret a valid proof-of-work |
| 15 | + submission with a modified expiration value. |
| 16 | +
|
| 17 | + This may allow previously solved challenges to be reused beyond |
| 18 | + their intended lifetime, depending on server-side replay handling |
| 19 | + and deployment assumptions. |
| 20 | +
|
| 21 | + The vulnerability primarily impacts abuse-prevention mechanisms such |
| 22 | + as rate limiting and bot mitigation. |
| 23 | +
|
| 24 | + It does not directly affect data confidentiality or integrity. |
| 25 | +
|
| 26 | + ### Patches |
| 27 | +
|
| 28 | + This issue has been addressed by enforcing explicit semantic |
| 29 | + separation between challenge parameters and the nonce during |
| 30 | + HMAC computation. |
| 31 | +
|
| 32 | + Users are advised to upgrade to patched versions. |
| 33 | +
|
| 34 | + ### Workarounds |
| 35 | +
|
| 36 | + As a mitigation, implementations may append a delimiter to the |
| 37 | + end of the `salt` value prior to HMAC computation (for example, |
| 38 | + `<salt>?expires=<time>&`). This prevents ambiguity between |
| 39 | + parameters and the nonce and is backward-compatible with existing |
| 40 | + implementations, as the delimiter is treated as a standard URL |
| 41 | + parameter separator." |
| 42 | +cvss_v3: 6.5 |
| 43 | +patched_versions: |
| 44 | + - ">= 1.0.0" |
| 45 | +related: |
| 46 | + url: |
| 47 | + - https://nvd.nist.gov/vuln/detail/CVE-2025-68113 |
| 48 | + - https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959 |
| 49 | + - https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e |
| 50 | + - https://github.com/altcha-org/altcha-lib-go/commit/4a5610745ef79895a67bac858b2e4f291c2614b8 |
| 51 | + - https://github.com/altcha-org/altcha-lib-java/commit/69277651fdd6418ae10bf3a088901506f9c62114 |
| 52 | + - https://github.com/altcha-org/altcha-lib-php/commit/9e9e70c864a9db960d071c77c778be0c9ff1a4d0 |
| 53 | + - https://github.com/altcha-org/altcha-lib-rb/commit/4fd7b64cbbfc713f3ca4e066c2dd466e3b8d359b |
| 54 | + - https://github.com/altcha-org/altcha-lib/commit/cb95d83a8d08e273b6be15e48988e7eaf60d5c08 |
| 55 | + - https://github.com/altcha-org/altcha-lib-java/releases/tag/v1.3.0 |
| 56 | + - https://github.com/altcha-org/altcha-lib-php/releases/tag/v1.3.1 |
| 57 | + - https://github.com/altcha-org/altcha-lib/releases/tag/1.4.1 |
| 58 | + - https://github.com/advisories/GHSA-6gvq-jcmp-8959 |
0 commit comments