Description
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Recommendation
Update the @hpke/core package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.7.4
- Patched version(s): 1.7.5
References
Related Issues
- Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
- LangChain serialization injection vulnerability enables secret extraction - @langchain/core - CVE-2025-68665
- @farmfe/core is Missing Origin Validation in WebSocket - CVE-2025-56647
- Vue I18n Allows Prototype Pollution in `handleFlatJson` - @intlify/vue-i18n-core - CVE-2025-27597
You might also like:
- Tags:
- npm
- @hpke/core
Anything's wrong? Let us know Last updated on November 21, 2025