CVE-2025-68113 – A cryptographic flaw in ALTCHA libraries allows... (How to Fix)

Q: What is the severity of CVE-2025-68113?

CVE-2025-68113 has a CVSS score of 6.5 (MEDIUM). A cryptographic flaw in ALTCHA libraries allows challenge payload splicing, enabling replay attacks where previously solved CAPTCHA challenges can be reused beyond their intended expiration. This primarily impacts abuse-prevention mechanisms like rate limiting and bot mitigation. All users of affected ALTCHA libraries are vulnerable until patched.

📋 TL;DR

A cryptographic flaw in ALTCHA libraries allows challenge payload splicing, enabling replay attacks where previously solved CAPTCHA challenges can be reused beyond their intended expiration. This primarily impacts abuse-prevention mechanisms like rate limiting and bot mitigation. All users of affected ALTCHA libraries are vulnerable until patched.

💻 Affected Systems

Products:

ALTCHA libraries for Go, Ruby, Python, Erlang, Node.js, PHP, Java

Versions: All versions before patched releases

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects implementations using ALTCHA for CAPTCHA/bot protection. Vulnerability exists in the cryptographic binding between challenge parameters and nonce.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass bot protection entirely, enabling unlimited automated requests that could lead to account takeover, credential stuffing, or denial of service through resource exhaustion.

🟠

Likely Case

Attackers bypass rate limiting and bot detection for specific endpoints, enabling automated spam, scraping, or brute-force attacks.

🟢

If Mitigated

With proper server-side replay handling and short challenge expiration times, impact is limited to minor abuse potential.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of the cryptographic flaw and ability to manipulate challenge payloads, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go: 1.0.0, Ruby: 1.0.0, Python: 1.0.0, Erlang: 1.0.0, Node.js: 1.4.1, PHP: 1.3.1, Java: 1.3.0

Vendor Advisory: https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e

Restart Required: No

Instructions:

1. Identify which ALTCHA library your application uses. 2. Update to the patched version for your language/platform. 3. Test CAPTCHA functionality. 4. No restart required for interpreted languages; restart application server for compiled languages.

🔧 Temporary Workarounds

Delimiter workaround

all

Append a delimiter to the salt value before HMAC computation to prevent parameter ambiguity

Modify HMAC computation to use format: <salt>?expires=<time>&

🧯 If You Can't Patch

Implement strict server-side replay detection with short challenge expiration times
Add additional layers of bot protection (rate limiting, IP blocking, behavioral analysis)

🔍 How to Verify

Check if Vulnerable:

Check if your application uses any ALTCHA library and verify version against affected ranges

Check Version:

Check package manager: npm list altcha-lib, pip show altcha, gem list altcha, go list -m all, etc.

Verify Fix Applied:

Verify library version matches patched version and test CAPTCHA functionality with replay attempts

📡 Detection & Monitoring

Log Indicators:

Multiple successful CAPTCHA validations from same challenge ID
CAPTCHA submissions with expired timestamps
Unusual spike in automated requests

Network Indicators:

Repeated CAPTCHA challenge reuse patterns
Abnormal request rates bypassing rate limits

SIEM Query:

source="application_logs" AND (message="CAPTCHA validation" OR message="challenge") | stats count by challenge_id | where count > 1

📊 Metadata

CVE ID: CVE-2025-68113

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-115

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: December 16, 2025

Last Updated: December 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68113, you might also want to check these: