Security Vulnerability: Critical CVE in sha.js dependency

[adam-smycz]

Security Vulnerability: Critical CVE in sha.js dependency

Summary

The package @apollo/utils.createhash@3.0.1 depends on sha.js@2.4.11, which contains a critical security vulnerability (CVE-2025-9288).

Vulnerability Details

• CVE ID: CVE-2025-9288
• Severity: Critical
• Affected Component: sha.js@2.4.11
• GHSA: GHSA-95m3-7q98-8xr5
• NVD Reference: CVE-2025-9288

Affected Package

• Package: @apollo/utils.createhash
• Version: 3.0.1
• Dependency: sha.js@^2.4.11
• Package.json: Link

Evidence

The vulnerable dependency is declared in the package.json:

{
  "dependencies": {
    "@apollo/utils.isnodelike": "^3.0.0",
    "sha.js": "^2.4.11"
  }
}

Requested Action
Please update the sha.js dependency to a patched version that addresses CVE-2025-9288, or consider migrating to an alternative hashing library if no patch is available.

[phryneas]

Hi @adam-smycz

I believe that this is a misconception about how npm dependencies work.
That package @apollo/utils.createhash has a dependency on ^2.4.11, not 2.4.11 - that means “anything in the range >=2.4.11 <3.0.0”.

You can play around with this on the npm semver calculator.

Your package manager should be able to update to 2.4.12 just fine, and any future installation of @apollo/utils.createhash will end up using the latest, non-vulnerable version.

As an example, when you create a new project like this:

{
  "name": "test",
  "dependencies": {
    "@apollo/utils.createhash": "^3.0.1"
  }
}

Running the commands:

% npm i

added 32 packages, and audited 33 packages in 777ms

16 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

% npm audit
found 0 vulnerabilities

% npm why sha.js
sha.js@2.4.12
node_modules/sha.js
  sha.js@"^2.4.11" from @apollo/utils.createhash@3.0.1
  node_modules/@apollo/utils.createhash
    @apollo/utils.createhash@"^3.0.1" from the root project

% npm ls sha.js
test@ /tmp/test
└─┬ @apollo/utils.createhash@3.0.1
  └── sha.js@2.4.12

Npm behaves as expected, does not install the vulnerable version, and npm audit seems to take that on correctly.

So you can see that @apollo/utils.createhash doesn't force you to be on that version - it's just the minimal version it works with, but it will also work with newer versions and package managers will pick a non-vulnerable version automatically without requiring an update on our end.

Did you run npm update or npm update sha.js on your end before running npm audit?

[christoshrousis]

We have @apollo/server as a package but don't have @apollo/utils.

I did a small recreation with both npm and pnpm could confirm that it installs the latest version of sha.js.

We are using latest pnpm and where unable to get onto latest version.

The fix, was to delete our node_modules folder then re-install from scratch.