CVE-2025-9288

Publication date 20 August 2025

Last updated 26 September 2025

Ubuntu priority

Description

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js: through 2.4.11.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
node-sha.js	25.04 plucky	Fixed 2.4.11+~2.4.0-2+deb13u1build0.25.04.1
	24.04 LTS noble	Fixed 2.4.11+~2.4.0-2+deb13u1build0.24.04.1
	22.04 LTS jammy	Fixed 2.4.11+~2.4.0-1ubuntu0.1
	20.04 LTS focal	Fixed 2.4.11-2ubuntu0.1~esm1
	18.04 LTS bionic	Fixed 2.4.9-1ubuntu0.1~esm1

How can I get the fixes?
What do statuses mean?

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7778-1
sha.js vulnerability
25 September 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2025-9288
https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5
https://github.com/browserify/sha.js/pull/78
https://www.cve.org/CVERecord?id=CVE-2025-9287