CVE-2025-27508

CVE-2025-27508 affects Emissary, a peer-to-peer (P2P) based data-driven workflow engine developed by the National Security Agency. The vulnerability resides in the ChecksumCalculator class, which supports hashing and checksum generation using algorithms that are no longer recommended for secure cryptographic applications, such as SHA-1, CRC32, and SSDEEP. While these may suffice for non-security-critical tasks, their use in scenarios requiring strong cryptographic integrity can lead to risks like hash collisions or weak verification, tracked under CWE-327 (Broken Cryptographic Algorithms). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on March 5, 2025.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special setup. Exploitation targets the integrity (I:H) aspect, potentially allowing adversaries to manipulate data by generating collisions or bypassing checksum validations in Emissary workflows, without impacting confidentiality or availability. Any unauthenticated network actor interacting with Emissary instances using the affected ChecksumCalculator could achieve this, compromising the trustworthiness of data processing in P2P environments.

The GitHub security advisory (GHSA-hw43-fcmm-3m5g) and associated commit (da3a81a8977577597ff2a944820a5ae4e9762368) confirm the fix in Emissary version 8.24.0, recommending immediate upgrades to eliminate the weak algorithms. Practitioners should review deployments for prior versions and audit usage of ChecksumCalculator to ensure it aligns with security requirements.