Description
A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value.
Recommendation
Update the altcha-lib package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- Altcha Proof-of-Work obfuscation mode cryptanalytic break - CVE-2025-65849
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273
You might also like:
- Tags:
- npm
- altcha-lib
Anything's wrong? Let us know Last updated on December 20, 2025