Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).
AnalysisAI
Information disclosure weakness in Securly Chrome Extension version 3.0.7 stems from continued reliance on the deprecated SHA-1 algorithm to hash and match 25,020 IWF CSAM URLs and 12,352 CIPA blocklist URLs. Because SHA-1 is vulnerable to collision attacks, an adversary with knowledge of the hash list could derive or guess matching URLs, exposing sensitive blocklist contents and undermining the integrity of the content-filtering mechanism. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue was reported through CERT/CC (VU#595768), giving it credible vendor-coordinated provenance.
Technical ContextAI
Securly is a cloud-based web-filtering and student-safety product whose Chrome Extension enforces policy on managed Google/ChromeOS devices in K-12 environments. The extension matches browsed URLs against two embedded hash lists: the Internet Watch Foundation (IWF) CSAM URL list and a CIPA-compliance blocklist. The root cause maps to CWE-407 (Inefficient Algorithmic Complexity, often used here to denote use of a cryptographically broken primitive in a security-relevant matching path). SHA-1 has been deprecated by NIST since 2011 and is considered collision-broken since the 2017 SHAttered work; using it for sensitive set-membership checks means an attacker can pre-compute or brute-force collisions to either learn the protected URLs or craft URLs that evade matching. CPE cpe:2.3:a:securly:securly_chrome_extension covers the affected build.
RemediationAI
No vendor-released patch identified at time of analysis; the CERT/CC advisory (https://kb.cert.org/vuls/id/595768) is the primary tracking source and should be monitored for a fixed Securly Chrome Extension build that replaces SHA-1 with a collision-resistant hash such as SHA-256 (with a per-list salt or HMAC to resist precomputation). Until a fixed extension is published, administrators using Google Admin console force-install of the Securly extension should subscribe to Securly's customer advisories, pin extension auto-update to receive the fix promptly, and consider augmenting client-side filtering with Securly's network/DNS-layer enforcement so CSAM/CIPA policy does not depend solely on the client-side hash list (trade-off: requires Securly's gateway/DNS service to be in scope, which not all deployments use). Avoid attempts to redistribute or reverse the embedded hash lists, as the CSAM list is legally sensitive.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34167
GHSA-7qqf-r2pg-xhqj