Description
A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value.
Recommendation
Update the altcha-lib package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
- Tags:
- npm
- altcha-lib
Anything's wrong? Let us know Last updated on December 20, 2025