Description
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Recommendation
Update the @hpke/core package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.7.4
- Patched version(s): 1.7.5
References
Related Issues
- @farmfe/core is Missing Origin Validation in WebSocket - CVE-2025-56647
- Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
- FUXA allows Remote Code Execution (RCE) via the project import functionality. - CVE-2025-69983
- Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750
- Tags:
- npm
- @hpke/core
Anything's wrong? Let us know Last updated on November 21, 2025