GHSA-mmf8-487q-p45m

Source

https://github.com/advisories/GHSA-mmf8-487q-p45m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mmf8-487q-p45m/GHSA-mmf8-487q-p45m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mmf8-487q-p45m

Aliases

CVE-2026-31839

Published

2026-03-11T14:55:49Z

Modified

2026-03-13T10:48:12.621012Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Striae has a hash validation utility vulnerability

Details

Summary

A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks.

Impact

Confirmation package integrity could be bypassed because both content and hash values were mutable in the same trust boundary. An attacker with access to an exported package could alter confirmation data and recompute hashes so hash-only checks still passed.

This affects users relying on digital confirmations as an immutability and forensic chain-of-custody control.

Patches

Patched in v3.0.0.

Upgrade to: - v3.0.0 or later

Security behavior added in v3.0.0: - Server-issued asymmetric signatures for forensic manifests - Canonical payload signature verification during import and manual hash verification - Fail-closed behavior when signature metadata is missing or invalid - Signature/key provenance support for audit-related workflows

Workarounds

There is no full cryptographic workaround equivalent to upgrading.

Temporary mitigations: - Treat hash-only validation as a tamper indicator, not proof of immutability - Restrict package exchange to trusted authenticated internal channels - Require out-of-band reviewer attestation for sensitive confirmation workflows - Pause imports from untrusted sources until upgraded

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T14:55:49Z",
    "severity": "HIGH",
    "nvd_published_at": "2026-03-11T17:16:58Z",
    "cwe_ids": [
        "CWE-327",
        "CWE-353",
        "CWE-354"
    ]
}

References

Affected packages

npm / @striae-org/striae

Package

Name: @striae-org/striae; View open source insights on deps.dev
Purl: pkg:npm/%40striae-org/striae

Affected ranges

Type: SEMVER
Events: Introduced

0.9.22-0

Fixed

3.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mmf8-487q-p45m/GHSA-mmf8-487q-p45m.json"