Description
A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value.
Recommendation
Update the altcha-lib package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- Altcha Proof-of-Work obfuscation mode cryptanalytic break - CVE-2025-65849
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function - CVE-2025-3194
- Tags:
- npm
- altcha-lib
Anything's wrong? Let us know Last updated on December 20, 2025