Pular para o conteúdo
ALTCHA ALTCHA ALTCHA

Este conteúdo não está disponível em sua língua ainda.

Security Advisory

Dec. 2025: Proof-of-Work Vulnerable to Challenge Splicing and Replay

Vulnerability Summary

ALTCHA libraries are affected by a cryptographic semantic binding flaw that enables challenge payload splicing, which can lead to replay attacks (CWE-115, CWE-347). The HMAC signature only binds to the concatenation of the salt string and the nonce, without clearly delimiting where challenge parameters end and the nonce begins. As a result, an attacker can reinterpret a previously valid payload by shifting digits between the expiration parameter and the nonce. For example, treating salt?expire=100987 as salt?expire=1009 with nonce 87.

This vulnerability can make a challenge appear valid for an arbitrarily long time, allowing it to be reused beyond its intended lifetime. In common server implementations that track used nonces only for a limited period and validate expiration using a simple expires > now check, this flaw enables repeated replay of previously solved challenges. An attacker can therefore amortize proof-of-work computation over time, progressively increasing effective throughput without performing additional work.

Impact

Medium. The effective impact depends on server-side replay handling and deployment assumptions. ALTCHA Sentinel versions prior to v1.16.0 are vulnerable.

Recommended Patch

Ensure explicit semantic separation between challenge parameters and the nonce by appending a delimiter to the end of the salt before HMAC computation. Specifically:

  • Before: <salt>?expires=<time>
  • After: <salt>?expires=<time>&

Adding the & delimiter prevents parameter–nonce splicing by clearly terminating the parameter list. This change is backward-compatible with existing implementations, as & is treated as a standard URL parameter separator and does not alter the meaning of previously defined parameters.

Status

PATCHED

GitHub Adivisory: https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959

Timeline

  • Dec. 10, 2025: Reported by Yumechi

  • Dec. 11, 2025: Investigated by ALTCHA and vulnerability confirmed

  • Dec. 14, 2025: This adivisory published

    ALTCHA Sentinel patched in version v1.16.0

    Integration libraries patched in the following versions:

    • JS https://github.com/altcha-org/altcha-lib: v1.4.1
    • PHP https://github.com/altcha-org/altcha-lib-php: v1.3.1
    • Python https://github.com/altcha-org/altcha-lib-py: v1.0.0
    • Go https://github.com/altcha-org/altcha-lib-go: v1.0.0
    • Java https://github.com/altcha-org/altcha-lib-java: v1.3.0
    • Elixir https://github.com/altcha-org/altcha-lib-ex: v1.0.0
    • Ruby https://github.com/altcha-org/altcha-lib-ex: v1.0.0
    • Wordpress Plugin v2 https://github.com/altcha-org/altcha-wordpress-next: v2.3.1
    • Wordpress Plugin v1 https://github.com/altcha-org/wordpress-plugin: v1.26.3

  • Dec. 14, 2025: GitHub Adivisory published, CVE requested

  • Dec. 15. 2025: Customers and 3rd-party integrators notified

Deutsch English Español Français Italiano Português

Copyright © 2024 Altcha.org - Dedicated to Privacy.

ALTCHA ® is a trademark registered in EU.

Do you like ALTCHA?
Support us by giving us a star on GitHub!

Project sponsored by BAUSW.com - Digital Construction Site Diary, promoting transparency and trust in construction projects with real-time documentation.

Open Source Captcha Accessible Captcha Invisible Captcha Better Captcha Alternative reCAPTCHA Alternative
Proof-of-work Captcha User-Friendly Captcha What is Captcha?
Privacy Policy Impresssum Legal Compliance European Accessibility Act 2025 Security Security Advisory Vulnerability Reporting Pricing FAQ Contact
Examples: React Captcha Example Angular Captcha Example WordPress Captcha
SaaS: Sign-in Terms of Service Status
ALTCHA is made in Europe.

OSS hosted on GitHub • Website made with Astro Starlight.