Home > Vulnerability Database > CVE-2025-64767

Mend.io Vulnerability Database

CVE-2025-64767

Good to know:

Date: November 21, 2025

hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5.

Severity Score

9.1

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64767

Url: https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34

Url: https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4

Url: https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf

Url: https://github.com/dajiaji/hpke-js

Url: https://www.mend.io/vulnerability-database/CVE-2025-64767

Severity Score

9.1

Weakness Type (CWE)

Reusing a Nonce, Key Pair in Encryption

CWE-323

Top Fix

Upgrade Version

Upgrade to version @hpke/core - 1.7.5;https://github.com/dajiaji/hpke-js.git - @hpke/core@1.7.5

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64767

Good to know:

Date: November 21, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?