CVE-2025-9287
Published: 20 August 2025
Summary
CVE-2025-9287 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Browserify Cipher-Base. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9287 is an Improper Input Validation vulnerability in the cipher-base npm package that allows Input Data Manipulation. This issue affects cipher-base versions through 1.0.4. The vulnerability, associated with CWE-20, was published on 2025-08-20T22:15:30.557 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation enables high-impact manipulation of input data, resulting in significant integrity and availability disruptions but no confidentiality impact.
Advisories and patches addressing mitigation are detailed in the GitHub security advisory at https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc, a related pull request at https://github.com/browserify/cipher-base/pull/23, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25405
Vulnerability details
Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated improper input validation in crypto library directly enables exploitation of public-facing apps (T1190) and facilitates data manipulation attacks (T1565).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of flaws like the improper input validation in cipher-base versions through 1.0.4, with a patch available via GitHub PR #23.
Enforces comprehensive validation of information inputs at system-defined points, countering the CWE-20 improper input validation that enables data manipulation in the vulnerable cipher-base library.
Provides vulnerability scanning to identify and remediate the presence of vulnerable cipher-base versions, enabling proactive mitigation of this high-CVSS network-exploitable flaw.