Updated advisory posts against rubysec/ruby-advisory-db@6b7be80

jasnow · RubySec CI · commit 072449d6bf28 · 2025-12-16T17:26:49.000Z
diff --git a/advisories/_posts/2025-12-16-CVE-2025-68113.md b/advisories/_posts/2025-12-16-CVE-2025-68113.md
@@ -0,0 +1,66 @@
+---
+layout: advisory
+title: 'CVE-2025-68113 (altcha): ALTCHA Proof-of-Work Vulnerable to Challenge Splicing
+  and Replay'
+comments: false
+categories:
+- altcha
+advisory:
+  gem: altcha
+  cve: 2025-68113
+  ghsa: 6gvq-jcmp-8959
+  url: https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959
+  title: ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
+  date: 2025-12-16
+  description: |
+    ### Impact
+
+    A cryptographic semantic binding flaw in ALTCHA libraries allows
+    challenge payload splicing, which may enable replay attacks. The
+    HMAC signature does not unambiguously bind challenge parameters to
+    the nonce, allowing an attacker to reinterpret a valid proof-of-work
+    submission with a modified expiration value.
+
+    This may allow previously solved challenges to be reused beyond
+    their intended lifetime, depending on server-side replay handling
+    and deployment assumptions.
+
+    The vulnerability primarily impacts abuse-prevention mechanisms such
+    as rate limiting and bot mitigation.
+
+    It does not directly affect data confidentiality or integrity.
+
+    ### Patches
+
+    This issue has been addressed by enforcing explicit semantic
+    separation between challenge parameters and the nonce during
+    HMAC computation.
+
+    Users are advised to upgrade to patched versions.
+
+    ### Workarounds
+
+    As a mitigation, implementations may append a delimiter to the
+    end of the `salt` value prior to HMAC computation (for example,
+    `<salt>?expires=<time>&`). This prevents ambiguity between
+    parameters and the nonce and is backward-compatible with existing
+    implementations, as the delimiter is treated as a standard URL
+    parameter separator."
+  cvss_v3: 6.5
+  patched_versions:
+  - ">= 1.0.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-68113
+    - https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959
+    - https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e
+    - https://github.com/altcha-org/altcha-lib-go/commit/4a5610745ef79895a67bac858b2e4f291c2614b8
+    - https://github.com/altcha-org/altcha-lib-java/commit/69277651fdd6418ae10bf3a088901506f9c62114
+    - https://github.com/altcha-org/altcha-lib-php/commit/9e9e70c864a9db960d071c77c778be0c9ff1a4d0
+    - https://github.com/altcha-org/altcha-lib-rb/commit/4fd7b64cbbfc713f3ca4e066c2dd466e3b8d359b
+    - https://github.com/altcha-org/altcha-lib/commit/cb95d83a8d08e273b6be15e48988e7eaf60d5c08
+    - https://github.com/altcha-org/altcha-lib-java/releases/tag/v1.3.0
+    - https://github.com/altcha-org/altcha-lib-php/releases/tag/v1.3.1
+    - https://github.com/altcha-org/altcha-lib/releases/tag/1.4.1
+    - https://github.com/advisories/GHSA-6gvq-jcmp-8959
+---
