While working on javascript-datastructures-algorithms project, I found a vulnerability in the cipher-base package CVE-2025-9287 (used by javascript-datastructures-algorithms project). This issue is caused by missing input type checks in the create-hash polyfill of Node.js createHash, which can allow hash state rewinding, leading to collisions, DoS, or even private key extraction in cryptographic libraries.

CVE Link
CVE Report