From 4be294a014255e89e89df1a5c03fe3fb9664a191 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 16 Dec 2025 08:12:29 -0500 Subject: [PATCH] GHSA SYNC: 1 brand new advisory --- gems/altcha/CVE-2025-68113.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 gems/altcha/CVE-2025-68113.yml diff --git a/gems/altcha/CVE-2025-68113.yml b/gems/altcha/CVE-2025-68113.yml new file mode 100644 index 0000000000..d002a0f194 --- /dev/null +++ b/gems/altcha/CVE-2025-68113.yml @@ -0,0 +1,58 @@ +--- +gem: altcha +cve: 2025-68113 +ghsa: 6gvq-jcmp-8959 +url: https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959 +title: ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay +date: 2025-12-16 +description: | + ### Impact + + A cryptographic semantic binding flaw in ALTCHA libraries allows + challenge payload splicing, which may enable replay attacks. The + HMAC signature does not unambiguously bind challenge parameters to + the nonce, allowing an attacker to reinterpret a valid proof-of-work + submission with a modified expiration value. + + This may allow previously solved challenges to be reused beyond + their intended lifetime, depending on server-side replay handling + and deployment assumptions. + + The vulnerability primarily impacts abuse-prevention mechanisms such + as rate limiting and bot mitigation. + + It does not directly affect data confidentiality or integrity. + + ### Patches + + This issue has been addressed by enforcing explicit semantic + separation between challenge parameters and the nonce during + HMAC computation. + + Users are advised to upgrade to patched versions. + + ### Workarounds + + As a mitigation, implementations may append a delimiter to the + end of the `salt` value prior to HMAC computation (for example, + `?expires=