CVE-2025-27508
published 2025-03-05CVE-2025-27508: Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.19%
9.3th percentile
Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nationalsecurityagency | emissary | < 8.24.0 | 8.24.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Emissary May Use a Broken or Risky Cryptographic Algorithm
ghsa·2025-03-05
CVE-2025-27508 [HIGH] CWE-327 Emissary May Use a Broken or Risky Cryptographic Algorithm
Emissary May Use a Broken or Risky Cryptographic Algorithm
### Summary
The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required.
### Requirement from NIST
Requirement from NIST regarding SHA1
https://csrc.nist.gov/projects/hash-functions#:~:text=NIST%20deprecated%20the%20use%20of,use%20of%20the%20SHA%2D1.
> Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1.
> Further guidance will be available soon. Send questions on the
OSV
Emissary May Use a Broken or Risky Cryptographic Algorithm
osv·2025-03-05
CVE-2025-27508 [HIGH] Emissary May Use a Broken or Risky Cryptographic Algorithm
Emissary May Use a Broken or Risky Cryptographic Algorithm
### Summary
The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required.
### Requirement from NIST
Requirement from NIST regarding SHA1
https://csrc.nist.gov/projects/hash-functions#:~:text=NIST%20deprecated%20the%20use%20of,use%20of%20the%20SHA%2D1.
> Federal agencies should use SHA-2 or SHA-3 as an alternative to SHA-1.
> Further guidance will be available soon. Send questions on the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-05
Published