SimpleCrypto implements AES-CBC with PKCS#7 padding, which is vulnerable to chosen-ciphertext attacks, specifically a padding oracle attack.

These vulnerabilities in CBC mode have been public for 17 years (since Serge Vaudenay published a paper about it in 2002).

Recommendation: Migrate to one of the following...

1. XChaCha20-Poly1305
2. AES-GCM-SIV
3. AES-GCM

We upgraded our sever to Ubuntu version 22.04.2 and now library has stopped working we are using version 3.0.1 . Its gives us an error
simplecrypto Invalid encrypted text received. Decryption halted. Even though the string was encrypted by the same key that we are using to decrypt

I'm on a Remix project, I added simple crypto through pnpm then on top of my file I just added

import SimpleCrypto from "simple-crypto-js";

const secretKey = "some-unique-key";
const crypto = new SimpleCrypto(secretKey);

But this doesn't work properly with Remix build

 info  rebuilding... (~ app/routes/_tools.qr-code-time-tracking.tsx)
 info  rebuilt (496ms)
TypeError: SimpleCrypto is not a constructor
    at file:///...website/app/routes/_tools.qr-code-time-tracking.tsx:12:16
    at ModuleJob.run (node:internal/modules/esm/module_job:194:25)

Do you know what could be going on right now?

Hi,

I recently tried to use your library for a project, but encountered issues while compiling with strict-mode on:

node_modules/simple-crypto-js/src/SimpleCrypto.ts:9:22 - error TS7006: Parameter 'secret' implicitly has an 'any' type.

9   public constructor(secret) {
                       ~~~~~~

node_modules/simple-crypto-js/src/SimpleCrypto.ts:23:11 - error TS2322: Type 'string | null' is not assignable to type 'string'.
  Type 'null' is not assignable to type 'string'.

23     const string: string = typeof data == "object" ? JSON.stringify(data) : typeof data == "string" || typeof data == "number" || typeof data == 'boolean' ? data.toString() : null;
             ~~~~~~

node_modules/simple-crypto-js/src/SimpleCrypto.ts:31:77 - error TS2345: Argument of type '{ iv: string | WordArray; padding: Padding; mode: Mode; }' is not assignable to parameter of type 'CipherOption'.
  Types of property 'iv' are incompatible.
    Type 'string | WordArray' is not assignable to type 'string | undefined'.
      Type 'WordArray' is not assignable to type 'string'.

 31     const encrypted: CryptoJS.WordArray = CryptoJS.AES.encrypt(string, key, {
                                                                                ~
 32       iv: initialVector,
    ~~~~~~~~~~~~~~~~~~~~~~~~
...
 34       mode: CryptoJS.mode.CBC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 35     });
    ~~~~~

I have created a MR to fix these issues, and other small issues :)

As from 2.3.0 we cannot use clients that uses 2.2.0 or older version. This issue prevents from updating the module to the newest version.

When encrypting and decrypting a string with a leading 0, it removes the 0.

import SimpleCrypto from "simple-crypto-js"

let simpleCrypto = new SimpleCrypto("hYLiR5U1g2ppct1Aw8hf");
let encrypted = simpleCrypto.encryptObject("0419383728");
console.log(encrypted);

let decrypted = simpleCrypto.decrypt(encrypted);
console.log(decrypted + typeof decrypted);

output

419383728number

I am sending the data to a PHP server that will also know the secret key. How do I determine the IV being used since IV is a requirement for AES-CBC?

I am getting "Error: Invalid encrypted text received. Decryption halted" while decryption. Please note that same encrypted value is getting decrypted successfully in one setup(vm) but its not working in another setup(vm), my _secretKey is same I have not changed any thing.

What could be the reason?

I'm getting this annoying warning when compiling from React Typescript:

Compiled with warnings.

Failed to parse source map from '.../node_modules/simple-crypto-js/src/SimpleCrypto.ts' file: Error: ENOENT: no such file or directory, open '.../node_modules/simple-crypto-js/src/SimpleCrypto.ts'

Search for the keywords to learn more about each warning.
To ignore, add // eslint-disable-next-line to the line before.

WARNING in ./node_modules/simple-crypto-js/lib/SimpleCrypto.js
Module Warning (from ./node_modules/source-map-loader/dist/cjs.js):
Failed to parse source map from '.../node_modules/simple-crypto-js/src/SimpleCrypto.ts' file: Error: ENOENT: no such file or directory, open '.../node_modules/simple-crypto-js/src/SimpleCrypto.ts'

There is a source map for JS file. My best guess is that the source map file for SimpleCrypto.ts TS file is missing.

brix/crypto-js#258, basically at the moment this library will fail but forcing the following will fix
"crypto-js": "3.1.9-1"

I am reading a .mp4 file and encrypting it using the library and writing it as a .dat file. I am accessing the .dat file and streaming 4,000,000 characters at a time till the end. While streaming, i am decrypting the data on go. So, the first set of characters are decrypting succcessfully using this method

var decipherText = simpleCrypto.decrypt(chunk)

while the next set of characters throw Malformed UTF-8 data error.

Hi,

Since I updated from 2.2.0 to 2.4, my Expo (React Native) app, stopped working properly, throwing this error on decrypt:

The package at "node_modules/crypto-js/core.js" attempted to import the Node standard library module "crypto". It failed because React Native does not include the Node standard library. Read more at https://docs.expo.io/versions/latest/introduction/faq/#can-i-use-nodejs-packages-with-expo
Failed building JavaScript bundle.

Any idea how to fix that?

Do you know an implementation of this lib in PHP?
To perform intercommunication between JS and PHP.

Is it possible to sign & verify messages without encrypt it?

Errors throw here: https://github.com/danang-id/simple-crypto-js/blob/75f6bfcc9d8b9c280e578760538def19366c99eb/src/SimpleCrypto.ts#L172C1-L174C4

This is the crypto-js commit that cause the issue:
brix/crypto-js@808f499

I'm not very good with understanding crypto but have created a pouchdb plugin for my project.

I'd like to know if pepper is used in this lib.
(I couldn't find it in a variable by the name pepper.)

Fixed by renaming:

lib/SimpleCrypto.d.ts to lib/SimpleCrypto.d.tsx

Kindly consider providing this fix.

Hi Guys ... I am trying to use simple-crypto-js lib in my angular app but while installing the package via npm i ... I am getting below Typescript errors - Cannot use namespace 'WordArray' as a type.

Below are the version details:
Angular 7
Typescript 3.2
Simple-crypto-js 2.3

Any help or guidance would be highly appreciated. Thank you!

Followed the cdn link to https://cdn.jsdelivr.net/npm/simple-crypto-js@latest/dist/SimpleCrpyto.min.js

Couldn't find the requested file /dist/SimpleCrpyto.min.js in simple-crypto-js.

There any way to change the number of encrypt plainText, like put the cipherText length to 20 or any other number of caracther ?
And do the decrypt with this cipherText with length to 20 or any other number of caracther

Hi Is simple-crypto-js compatible with react-native? i.e if I encrypt a string in nodejs (server) and try to decrypt it in react-native, it it gauranteed to work at all times?

Hello,

May I please ask for your assistance to the following issue? Not sure if it is related to simple-crypto-js or not, but I would appreciate your comments.

Version I am using: 3.0.1

Steps to reproduce the error:

• I’m using indexedDb to save my apps data in the browser. When user closes the apps, indexedDb data is converted to blob, then in base64, and finally I stringify it.
• The resulted string is now encrypted using simple-crypto-js. It is stored again on indexedDb.
• To decrypt, I get the encrypted text from indexedDb first, and do the decryption which works fine most of the time. However, not sure why, I do receive the invalid encrypted text error message without any version change at all. (Not sure if it is because I am encrypting a large amount of chars) causes the decryption to fail.)

PS: I have already tried and explore the latest suggestion in this issue as well without success.

Thank you.

Hi,

I'm having another issue.

• I have an API server, using Node / Express which uses your lib to encrypt data and put this encrypted data into a QR Code
• I have a mobile app (React Native) which reads those QR Code and decrypt data using the same version of your lib, and the same code : they actually share the same JS module

Few days ago, the strangest thing happened. My Express app have 3 envs : local, develop, production.
• on local, QR codes are working, data is encrypted (by my local server) and decrypted (by the mobile app) successfully
When I log my simpleCrypto instance after setting it with a secret key and encrypted data, it returns something like this :
{"_secret":"my-secret","_keySize":256,"_iterations":100,"_defaultEncoder":{}}
• on production, QR codes are working, data is encrypted (by my local server) and decrypted (by the mobile app) successfully
• on develop, Qr codes looks differents, and when I log simpleCrypto instance, with the same code (it actually is the same branch) it returns :
{"_dataBuffer":"my-text-to-encrypt","_encoder":{},"_secret":{"words":[1411654652,1498173583,-882117861,-1761465478,-1507164864,-1303364673,-1856803349,-526043043,-333785183,190184971,-1097709156,1104822113,-274110398,1746094063,-1976477165,-629992992],"sigBytes":64},"_keySize":256,"_iterations":100}

What I don't understand is that my local and the dev have the same package.json, same package-json.lock, same Node version, same code, but simpleCrypto instances objects are not the same, and I really have no clue what can cause this.

It's more a question than an issue... But I'm looking for any idea :)

The line here prevents us from encrypting an empty string, even though it was possible before 2.4.0?

I understand the reasoning behind this (as to prevent silly errors by developers), but this actually complicates my use case of doing E2EE, as live editing forms where users may clear a form, will throw an error.

Is there anyway I could make a PR that would disable this protection or at least add an an optional parameter to disable it?

Hey SimpleCrypto team,

I've been using this library for a while now, and was excited to see a new release, but my tests are failing as I've found a little bug in the type detection.

If I encrypt this string: 97c9fadd9deefa0e3594d79e6b86b55bb4906fc2ae21956ca09cdd51e6827a1e using this function:

 const simpleCrypto = new SimpleCrypto(password);

 return simpleCrypto.encrypt(data);

and decrypt it using:

 try {
    const simpleCrypto = new SimpleCrypto(password);

    return simpleCrypto.decrypt(text);
  } catch {
    return undefined;
  }

I will get back the number 97 in number form (not string).

If you need help reproducing, I can create a codesandbox or something, but this is a pretty easy to repo issue.