Version 3.0.7 of the Securly Chrome Extension relies on SHA‑1 hashing to match IWF CSAM URLs (25,020 hashes) and CIPA blocklist entries (12,352 hashes). SHA‑1 is cryptographically weak and vulnerable to collision attacks. An attacker who can generate a hash collision could manipulate the extension’s whitelist logic, causing CSAM or blocked content to be treated as allowed or vice versa. This undermines the extension’s primary purpose of protecting users from disallowed content, potentially exposing children and other users to inappropriate material.

The vulnerability affects the Securly Chrome Extension, version 3.0.7. No other versions or related products were explicitly mentioned. Administrators using this specific extension version should be aware of the weakness in its hashing mechanism.

The CVSS score is not provided, and the EPSS score is unavailable, indicating that no public exploitation data is currently known. The attack likely requires the attacker to craft a specific hash collision, which is computationally intensive and may not be feasible in the near term. Nonetheless, the use of a broken hash algorithm compromises policy enforcement, and the absence of a listed KEV entry does not negate the risk. Organizations should monitor for vendor updates and consider disabling the extension until a patch that replaces SHA‑1 is released.