Cyber Resilience

CVE-2025-9287

CriticalPublic PoC

Published: 20 August 2025

Published
20 August 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 34.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9287 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Browserify Cipher-Base. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9287 is an Improper Input Validation vulnerability in the cipher-base npm package that allows Input Data Manipulation. This issue affects cipher-base versions through 1.0.4. The vulnerability, associated with CWE-20, was published on 2025-08-20T22:15:30.557 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation enables high-impact manipulation of input data, resulting in significant integrity and availability disruptions but no confidentiality impact.

Advisories and patches addressing mitigation are detailed in the GitHub security advisory at https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc, a related pull request at https://github.com/browserify/cipher-base/pull/23, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html.

EU & UK References

Vulnerability details

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565 Data Manipulation Impact
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Remote unauthenticated improper input validation in crypto library directly enables exploitation of public-facing apps (T1190) and facilitates data manipulation attacks (T1565).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2026-23836Shared CWE-20
CVE-2025-12275Shared CWE-20
CVE-2025-21344Shared CWE-20
CVE-2025-43347Shared CWE-20
CVE-2026-29143Shared CWE-20
CVE-2026-2880Shared CWE-20
CVE-2025-1514Shared CWE-20
CVE-2026-26063Shared CWE-20

Affected Assets

browserify
cipher-base
≤ 1.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws like the improper input validation in cipher-base versions through 1.0.4, with a patch available via GitHub PR #23.

prevent

Enforces comprehensive validation of information inputs at system-defined points, countering the CWE-20 improper input validation that enables data manipulation in the vulnerable cipher-base library.

detectrespond

Provides vulnerability scanning to identify and remediate the presence of vulnerable cipher-base versions, enabling proactive mitigation of this high-CVSS network-exploitable flaw.

References