Description
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Recommendation
Update the @hpke/core package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.7.4
- Patched version(s): 1.7.5
References
Related Issues
- jsPDF Denial of Service (DoS) - CVE-2025-57810
- MailDev Remote Code Execution - CVE-2024-27448
- vxe-table prototype pollution - CVE-2024-57080
- Cross-Site Scripting in jquery - CVE-2020-7656
- Tags:
- npm
- @hpke/core
Anything's wrong? Let us know Last updated on November 21, 2025