CVE-2025-64767: 
JavaScript vulnerability analysis and mitigation

CVE-2025-64767 affects the hpke-js library, a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. The vulnerability was discovered and disclosed on November 19, 2025, affecting versions 1.7.4 and earlier of the @hpke/core npm package (Debian Tracker, GitHub Advisory).

The vulnerability is a race condition in the public SenderContext Seal() API implementation that allows concurrent executions to trigger computeNonce() with the same sequence number. This results in the same AEAD (Authenticated Encryption with Associated Data) nonce being reused for multiple Seal() calls. The vulnerability has been assigned a CVSS score of 9.1 (Critical) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high severity impacts on confidentiality and integrity (Miggo).

The vulnerability can lead to a complete loss of confidentiality and integrity of the produced messages when exploited. This is particularly severe as nonce reuse in AEAD operations can compromise the security guarantees of the encryption system (GitHub Advisory).

The vulnerability has been patched in version 1.7.5 of the @hpke/core package. The fix implements a synchronization mechanism using a Mutex to ensure that only one seal()/open() operation per context can be executed at a time. Users are strongly advised to upgrade to version 1.7.5 or later (GitHub Advisory).