High severity7.5NVD Advisory· Published Mar 5, 2025· Updated Apr 15, 2026
CVE-2025-27508
CVE-2025-27508
Description
Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks, can expose users to security risks if used in scenarios where strong cryptographic guarantees are required. This issue is fixed in 8.24.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gov.nsa.emissary:emissaryMaven | < 8.24.0 | 8.24.0 |
Patches
2878c9d6cefd8da3a81a89775Merge commit from fork
1 file changed · +15 −7
src/main/java/emissary/kff/ChecksumCalculator.java+15 −7 modified@@ -16,12 +16,20 @@ import java.util.zip.CRC32; /** - * ChecksumCalculator is a utility class which computes checksums and message digests. + * <p> + * ChecksumCalculator is a utility class which computes SHA-1 and CRC32 checksums for use with a {@link KffChain} to + * support document similarity analysis. It can also be configured to compute various other message digests or SSDEEP + * hashes over the same data. + * </p> + * <p> + * NOTE: This class is to support Kff ONLY. It is not meant to provide cryptographically secure hashes or checksums. + * </p> * + * @see KffFile * @see java.util.zip.CRC32 java.util.zip.CRC32 * @see java.security.MessageDigest java.security.MessageDigest */ -public class ChecksumCalculator { +class ChecksumCalculator { /** Used for CRC32 calculations */ @Nullable private CRC32 crc = null; @@ -37,18 +45,18 @@ public class ChecksumCalculator { * * @throws NoSuchAlgorithmException if the SHA algorithm isn't available */ - public ChecksumCalculator() throws NoSuchAlgorithmException { + ChecksumCalculator() throws NoSuchAlgorithmException { this("SHA-1", true); } /** * Constructor initializes specified algorithm * - * @param alg string name of algorightm, e.g. SHA + * @param alg string name of algorithm, e.g. SHA * @param useCrc true if CRC32 should be calculated * @throws NoSuchAlgorithmException if the algorithm isn't available */ - public ChecksumCalculator(String alg, boolean useCrc) throws NoSuchAlgorithmException { + ChecksumCalculator(String alg, boolean useCrc) throws NoSuchAlgorithmException { this(List.of(alg)); setUseCrc(useCrc); } @@ -61,7 +69,7 @@ public ChecksumCalculator(String alg, boolean useCrc) throws NoSuchAlgorithmExce */ @Deprecated @SuppressWarnings("AvoidObjectArrays") - public ChecksumCalculator(@Nullable String[] algs) throws NoSuchAlgorithmException { + ChecksumCalculator(@Nullable String[] algs) throws NoSuchAlgorithmException { if (algs != null && algs.length > 0) { for (String alg : algs) { if (alg.equals("CRC32")) { @@ -81,7 +89,7 @@ public ChecksumCalculator(@Nullable String[] algs) throws NoSuchAlgorithmExcepti * @param algs Collection of String algorithm names, put CRC32 on list to enable * @throws NoSuchAlgorithmException if an algorithm isn't available */ - public ChecksumCalculator(@Nullable Collection<String> algs) throws NoSuchAlgorithmException { + ChecksumCalculator(@Nullable Collection<String> algs) throws NoSuchAlgorithmException { if (CollectionUtils.isNotEmpty(algs)) { for (String alg : algs) { if (alg.equals("CRC32")) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hw43-fcmm-3m5gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27508ghsaADVISORY
- github.com/NationalSecurityAgency/emissary/commit/da3a81a8977577597ff2a944820a5ae4e9762368nvdWEB
- github.com/NationalSecurityAgency/emissary/releases/tag/8.24.0ghsaWEB
- github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hw43-fcmm-3m5gnvdWEB
News mentions
0No linked articles in our index yet.