Striae has a hash validation utility vulnerability

Description

Summary

A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks.

Impact

Confirmation package integrity could be bypassed because both content and hash values were mutable in the same trust boundary. An attacker with access to an exported package could alter confirmation data and recompute hashes so hash-only checks still passed.

This affects users relying on digital confirmations as an immutability and forensic chain-of-custody control.

Patches

Patched in v3.0.0.

Upgrade to:
- v3.0.0 or later

Security behavior added in v3.0.0:
- Server-issued asymmetric signatures for forensic manifests
- Canonical payload signature verification during import and manual hash verification
- Fail-closed behavior when signature metadata is missing or invalid
- Signature/key provenance support for audit-related workflows

Workarounds

There is no full cryptographic workaround equivalent to upgrading.

Temporary mitigations:
- Treat hash-only validation as a tamper indicator, not proof of immutability
- Restrict package exchange to trusted authenticated internal channels
- Require out-of-band reviewer attestation for sensitive confirmation workflows
- Pause imports from untrusted sources until upgraded

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-11 14:55:49 UTC
Updated
2026-03-11 20:43:42 UTC
GitHub reviewed
2026-03-11 14:55:49 UTC
NVD published
2026-03-11

EPSS Score

Score Percentile
0.02% 3.42%

CVSS Scores

Base score Version Severity Vector
8.2 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-353 Missing Support for Integrity Check
CWE-354 Improper Validation of Integrity Check Value

Credits

  • StephenJLu (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @striae-org/striae >= 0.9.22-0, < 3.0.0 3.0.0

References

cvelogic Threat Intelligence