Altcha Proof-of-Work obfuscation mode cryptanalytic break

Description

A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via mathematical deduction.

Recommendation

No fix is available yet. Followings are affected versions:

• >= 0.8.0, <= 2.2.4

References

• GHSA-mpmc-qchh-r9q8
• altcha.org
• CVE-2025-65849
• CWE-327
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A6

Related Issues

• ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay - CVE-2025-68113
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
• Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750

Tags:

npm

altcha