CVE-2025-27508: Emissary May Use a Broken or Risky Cryptographic Algorithm
(updated )
The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required.
References
- github.com/NationalSecurityAgency/emissary
- github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368
- github.com/NationalSecurityAgency/emissary/releases/tag/8.24.0
- github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g
- github.com/advisories/GHSA-hw43-fcmm-3m5g
- nvd.nist.gov/vuln/detail/CVE-2025-27508
Code Behaviors & Features
Detect and mitigate CVE-2025-27508 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →