Description
Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database.
Recommendation
Update the manifest package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.9.2
- Patched version(s): 4.9.2
References
Related Issues
- Elliptic Uses a Cryptographic Primitive with a Risky Implementation - CVE-2025-14505
- Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate - CVE-2025-59288
- Astro's `X-Forwarded-Host` is reflected without validation - CVE-2025-61925
- Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - CVE-2025-12758
- Tags:
- npm
- manifest
Anything's wrong? Let us know Last updated on March 04, 2025