Description
Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.
Published: 2026-03-11
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Integrity Bypass
Action: Patch
AI Analysis

Impact

A flaw in Striae’s hash‑validation routine allows an attacker to modify both the manifest hash and the associated package contents, causing tampered confirmation packages to be accepted as authentic. This improper validation of cryptographic parameters (CWE‑354) can lead to forensic data being altered without detection, undermining the credibility of forensic analysis performed with the tool.

Affected Systems

Striae, a digital comparison companion for firearms examiners, is affected in all releases prior to version 3.0.0. Users running those earlier builds face the disclosed integrity bypass risk; the issue is resolved in the 3.0.0 release.

Risk and Exploitability

The vulnerability carries a CVSS base score of 8.2, indicating high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves delivering a crafted confirmation package to a user of Striae; if the package is accepted, the integrity check will fail to detect tampering. The exploit requires that the attacker can introduce the malicious package into the user’s workflow.

Generated by OpenCVE AI on March 20, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Striae to version 3.0.0 or later.

Generated by OpenCVE AI on March 20, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmf8-487q-p45m Striae has a hash validation utility vulnerability
History

Fri, 20 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Striae
Striae striae
CPEs cpe:2.3:a:striae:striae:*:*:*:*:*:node.js:*:*
Vendors & Products Striae
Striae striae

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Striae-org
Striae-org striae
Vendors & Products Striae-org
Striae-org striae

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.
Title Striae has a hash validation utility vulnerability
Weaknesses CWE-354
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Striae Striae
Striae-org Striae
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:07:35.742Z

Reserved: 2026-03-09T17:41:56.078Z

Link: CVE-2026-31839

cve-icon Vulnrichment

Updated: 2026-03-11T17:07:24.095Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:58.270

Modified: 2026-03-20T16:56:55.217

Link: CVE-2026-31839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:22Z

Weaknesses