A critical vulnerability has been discovered in the hpke-js encryption library, a component used in multiple software products. This flaw, a race condition, can cause the encryption process to reuse the same cryptographic key (nonce), completely breaking the security of the encrypted messages. Successful exploitation could allow an attacker to decrypt sensitive communications and forge messages, leading to a total loss of data confidentiality and integrity.

The vulnerability is a race condition within the public SenderContext Seal() API of the hpke-js library. When multiple Seal() operations are called concurrently or in rapid succession, the underlying mechanism for generating a unique nonce (a number used only once) can fail, resulting in the same nonce being used for different messages. In AEAD (Authenticated Encryption with Associated Data) ciphers, nonce reuse is a catastrophic failure. An attacker who can capture two or more encrypted messages that were sealed with the same nonce can use cryptographic analysis to recover the authentication key, allowing them to decrypt all messages encrypted with that key and forge new, valid-looking messages.

This vulnerability is rated as critical severity with a CVSS score of 9.1. The business impact is severe, as the core promise of the encryption library—to protect data—is completely undermined. Exploitation could lead to the exposure of highly sensitive information, such as personally identifiable information (PII), financial records, intellectual property, or private communications, resulting in significant data breaches. The consequences include severe reputational damage, loss of customer trust, regulatory fines (e.g., under GDPR, HIPAA), and potential legal liability. Any business process relying on this library for secure data exchange is at high risk of compromise.

Immediate Action: Organizations must immediately identify all applications and systems that utilize the hpke-js library. The primary remediation is to update the library to the patched version 1.7.5 or later in all affected products. Following the update, security teams should actively monitor for any signs of exploitation attempts and review historical access and application logs for anomalous activity that might indicate a prior compromise.

Proactive Monitoring: Monitor application logs for any errors or unexpected behavior related to encryption and decryption functions. Network monitoring should be enhanced to detect unusual patterns in encrypted traffic or signs of data exfiltration. Since directly detecting nonce reuse in live traffic is difficult, focus on post-compromise indicators such as unauthorized access to data that was presumed to be securely encrypted.

Compensating Controls: If immediate patching is not feasible, consider implementing compensating controls. This could include adding an additional layer of encryption at the transport level (e.g., ensuring robust TLS 1.3 is enforced) to protect the ciphertext from being observed by an attacker. Additionally, restrict access to services using the vulnerable library and consider temporarily disabling non-essential features that rely on it until a patch can be deployed.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the fundamental cryptographic failure this vulnerability represents, immediate action is required. We strongly recommend that organizations prioritize identifying all internal and third-party products that use the hpke-js library. Once identified, these products must be patched to version 1.7.5 or a later version without delay. While this vulnerability is not currently listed on the CISA KEV list, its severity warrants treating it with the same level of urgency as a known exploited vulnerability.