Upgrading sha.js for CVE-2025-9288 throws an error

[sihua-caoliu-veriforce]

We are currently working to address a CVE-2025-9288 vulnerability found in the sha.js dependency associated with @apollo/utils.createhash. As part of our efforts, we attempted to override the library version to "sha.js": "2.4.12" in order to mitigate this security risk. Unfortunately, this upgrade has resulted in a ServerParseError thrown in the frontend. We would greatly appreciate any guidance or suggestions on how to proceed to resolve this issue effectively

[phryneas]

That seems like you are getting some kind of error page. Can you look at your network tab and post the actual response you are getting from the server?

[sihua-caoliu-veriforce]

This is the response

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8"/>
        <link rel="icon" href="/favicon.ico"/>
        <meta name="viewport" content="minimum-scale=1,initial-scale=1,width=device-width"/>
        <meta http-equiv="Content-Security-Policy" content=" connect-src 'self' https://api.experianaperture.io https://*.launchdarkly.com https://*.stripe.com https://*.googleapis.com https://*.google-analytics.com https://*.doubleclick.net https://*.analytics.google.com https://*.googletagmanager.com https://*.google.com https://*.google.co.uk https://*.alcumus.com https://*.alcumusdev.net localhost:* https://*.amazonaws.com; default-src 'self' data:; font-src 'self' https://fonts.gstatic.com; frame-src self https://*.stripe.com https://*.stripecdn.com https://*.stripe.network https://*.credasdemo.com https://*.credastest.com https://*.credas.co.uk; img-src 'self' data: https://*.stripe.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://*.google.co.uk; object-src 'self'; script-src 'self' 'unsafe-eval' 'wasm-unsafe-eval' https://*.launchdarkly.com https://*.stripe.com https://*.googleapis.com https://*.google-analytics.com https://*.googletagmanager.com; style-src 'self' https://*.googleapis.com 'unsafe-inline'; "/>
        <meta http-equiv="X-XSS-Protection" content="1; mode=block"/>
        <meta http-equiv="X-Content-Type-Options" content="nosniff"/>
        <meta http-equiv="X-Permitted-Cross-Domain-Policies" content="none"/>
        <script src="/env.js"></script>
        <link href="https://fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600&display=swap" rel="stylesheet"/>
        <link rel="stylesheet" href="/assets/css/experian-address-validation.css"/>
        <title>SafeSupplier</title>
        <script defer="defer" src="/static/js/main.81fdb396.js"></script>
        <link href="/static/css/main.9bb26e66.css" rel="stylesheet">
    </head>
    <body>
        <noscript>You need to enable JavaScript to run this app.</noscript>
        <div id="root"></div>
        <div id="modal_root"></div>
        <script src="/assets/js/experian-address-validation.js"></script>
    </body>
</html>

[phryneas]

It seems like your server now serves the GraphQL playground under that url. I don't think that updating a dependency like sha.js could even cause that. Did you do some other changes around the same time that might cause this, or maybe change the way your application is doing the requests?

[xuniaoji]

I'm trying to fix the vulnerability as well.
The @apollo/server-plugin-response-cache is using sha.js@2.4.11

And the sha.js 2.4.12 have fix this issue. So could you update the sha.js version.

Below is what I confirmed:

✅ Confirmed: Version 2.4.12 DOES Fix the Vulnerability
Here's the proof:

Official Security Advisory: GHSA-95m3-7q98-8xr5 was published on August 21, 2025

Affected versions: <= 2.4.11 (all versions up to and including 2.4.11)
Patched versions: 2.4.12 ✅
CVE ID: CVE-2025-9288
Severity: Critical 9.1/10
The vulnerability is exactly what you described: Missing type checks can allow:

Hash state rewind with {length: -x}
Value miscalculation causing hash collisions
DoS attacks
Potential private key extraction in cryptographic libraries
Version 2.4.12 timeline:

Released: July 1, 2025 (3 months ago)
Published by: ljharb (the maintainer)
Security advisory published: August 21, 2025