ALTCHA is a privacy-first software for captcha and bot protection. It uses cryptographic techniques to prevent abuse and protect user data. However, a recent vulnerability in the ALTCHA libraries allows attackers to execute arbitrary code by manipulating challenge payload values. This can lead to replay attacks on previously solved challenges, potentially compromising abuse-prevention mechanisms.
You're affected if you use altcha version 3.x through 37. Check with: git grep -q "altcha" /path/to/your/project
Note: If you don't recognize the name ALTCHA or its software, you're probably not affected.
Upgrade to patched versions:
+ Go: https://github.com/altcha-org/altcha-lib-go/releases/tag/v1.0.0
+ Rubygem: https://rubygems.org/gems/altcha/lib
+ pip package: https://pypi.org/project/altcha/
+ Composer package: https://packagist.org/packages/org.altcha%2Faltcha
+ Maven package: https://repo1.maven.org/maven2/org.altcha%2Faltcha/
- Immediate mitigations:
+ Append a delimiter to the end of the salt value prior to HMAC computation (for example, <salt>?expires=<time>&). This prevents ambiguity between parameters and the nonce.