Description
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Recommendation
Update the @hpke/core package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.7.4
- Patched version(s): 1.7.5
References
Related Issues
- Vue I18n Allows Prototype Pollution in `handleFlatJson` - @intlify/core-base - CVE-2025-27597
- Vue I18n Allows Prototype Pollution in `handleFlatJson` - @intlify/vue-i18n-core - CVE-2025-27597
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - @intlify/core-base - CVE-2025-53892
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - @intlify/core - CVE-2025-53892
You might also like:
- Tags:
- npm
- @hpke/core
Anything's wrong? Let us know Last updated on November 21, 2025