CVE-2025-27508

Public Exploit
Emissary Use of a Broken or Risky Cryptographic Algorithm

Description

Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.02%
Affected: NationalSecurityAgency emissary
Published at:
Updated at:

References

Link Tags
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5g
https://github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368

Frequently Asked Questions

What is the severity of CVE-2025-27508?
CVE-2025-27508 has been scored as a high severity vulnerability.
How to fix CVE-2025-27508?
To fix CVE-2025-27508, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-27508 being actively exploited in the wild?
It is possible that CVE-2025-27508 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-27508?
CVE-2025-27508 affects NationalSecurityAgency emissary.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.