{"id":"CVE-2025-9288","details":"Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.","aliases":["GHSA-95m3-7q98-8xr5"],"modified":"2026-03-14T12:58:51.630559Z","published":"2025-08-20T22:15:30.750Z","related":["CGA-xc4v-6396-79v2","GHSA-95m3-7q98-8xr5"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/09/msg00016.html"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2025-9287"},{"type":"FIX","url":"https://github.com/browserify/sha.js/pull/78"},{"type":"EVIDENCE","url":"https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/browserify/sha.js","events":[{"introduced":"0"},{"last_affected":"105bfe57c69e13c83fcf7a6ca660dd984cb291bf"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.11"}]}}],"versions":["v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.4.0","v2.4.1","v2.4.10","v2.4.11","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.8","v2.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9288.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}