Summary
The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages.
Details
The SenderContext Seal() implementation allows for concurrent executions to trigger computeNonce() with the same sequence number. This results in the same nonce being used in the suite's AEAD.
PoC
This code reproduces the issue (and also checks for more things that could be wrong with the implementation).
import { CipherSuite, KdfId, AeadId, KemId } from "hpke-js";
const suite = new CipherSuite({
kem: KemId.DhkemP256HkdfSha256,
kdf: KdfId.HkdfSha256,
aead: AeadId.Aes128Gcm,
});
const keypair = await suite.kem.generateKeyPair();
const skR = keypair.privateKey;
const pkR = keypair.publicKey;
const sender = await suite.createSenderContext({
recipientPublicKey: pkR,
});
const [message0, message1] = await Promise.all([
sender.seal(
new TextEncoder().encode("Secret message 1: Attack at dawn").buffer
),
sender.seal(
new TextEncoder().encode("Secret message 2: Withdraw troops").buffer
),
]);
const recipient = await suite.createRecipientContext({
recipientKey: skR,
enc: sender.enc,
});
const plaintext0 = await recipient.open(message0);
console.log("✓ Decrypted message seq=0", new TextDecoder().decode(plaintext0));
try {
console.log(
"✓ Decrypted message seq=1",
new TextDecoder().decode(await recipient.open(message1))
);
console.log("\n✓ nonce-reuse reproduction completed, code is NOT vulnerable");
} catch (error) {
// re-sequence the recipient to verify same nonce was used for two messages
recipient._ctx.seq = 0;
console.log(
"❌ Decrypted a different message with seq=0",
new TextDecoder().decode(await recipient.open(message1))
);
console.log(
"\n✓ nonce-reuse reproduction completed, code is vulnerable, nonces are reused when concurrent calls to .seal() are used"
);
}
// Test that failed Open() doesn't increment sequence
const recipient2 = await suite.createRecipientContext({
recipientKey: skR,
enc: sender.enc,
});
const invalidMessage = new Uint8Array(message0.byteLength);
invalidMessage.set(new Uint8Array(message0));
invalidMessage[0] ^= 0xff; // Corrupt the first byte
try {
await recipient2.open(invalidMessage.buffer);
} catch {}
// Now try to open the first valid message - should still work with seq=0
try {
await recipient2.open(message0);
console.log("✓ Successfully decrypted message with seq=0 after failed open()");
console.log("✓ Failed open() did NOT increment sequence");
} catch (error) {
console.log("❌ Failed to decrypt message - sequence was incorrectly incremented");
}
// Test that same message produces same ciphertext due to nonce reuse
const sender2 = await suite.createSenderContext({
recipientPublicKey: pkR,
});
const sameMessage = new TextEncoder().encode("Identical message").buffer;
const [cipher0, cipher1] = await Promise.all([
sender2.seal(sameMessage),
sender2.seal(sameMessage),
]);
const cipher0Array = new Uint8Array(cipher0);
const cipher1Array = new Uint8Array(cipher1);
let identical = true;
if (cipher0Array.length !== cipher1Array.length) {
identical = false;
} else {
for (let i = 0; i < cipher0Array.length; i++) {
if (cipher0Array[i] !== cipher1Array[i]) {
identical = false;
break;
}
}
}
if (identical) {
console.log("\n❌ Same message produced IDENTICAL ciphertext (nonce reuse confirmed)");
} else {
console.log("\n✓ Same message produced different ciphertext (nonces are unique)");
}
Notes
Refs: https://github.com/hpkewg/hpke/issues/38
https://www.rfc-editor.org/rfc/rfc9180.html#section-9.7.5
The AEADs specified in this document are not secure in case of nonce reuse.
https://www.rfc-editor.org/rfc/rfc9180.html#section-5-6
A context is an implementation-specific structure that encodes the AEAD algorithm and key in use, and manages the nonces used so that the same nonce is not used with multiple plaintexts.
The context implementation in @hpke/core is not correct given its AEAD Seal() is awaited/asynchronous.
Impact
CVE-2025-64767 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Implement a synchronization mechanism such that only one seal()/open() per context can be executed at a time.
Frequently Asked Questions
- What is CVE-2025-64767? CVE-2025-64767 is a critical-severity security vulnerability in @hpke/core (npm), affecting versions <= 1.7.4. It is fixed in 1.7.5.
- How severe is CVE-2025-64767? CVE-2025-64767 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @hpke/core are affected by CVE-2025-64767? @hpke/core (npm) versions <= 1.7.4 is affected.
- Is there a fix for CVE-2025-64767? Yes. CVE-2025-64767 is fixed in 1.7.5. Upgrade to this version or later.
- Is CVE-2025-64767 exploitable, and should I be worried? Whether CVE-2025-64767 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-64767 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-64767? Upgrade
@hpke/coreto 1.7.5 or later.