The following major versions are currently supported with security updates.

End-of-life for the current release will be determined prior to the release of its successor.

You should report vulnerabilities using the Github UI or via email panva.ip@gmail.com

This section documents the threat model for hpke and @panva/hpke-noble. hpke is a JavaScript implementation of Hybrid Public Key Encryption (draft-ietf-hpke-hpke) and Post-Quantum/Traditional Hybrid Algorithms for HPKE. @panva/hpke-noble provides additional algorithm implementations using @noble cryptographic libraries.

This library is intended for general application developers, cryptography practitioners, and anyone needing HPKE functionality in JavaScript runtimes (Node.js, browsers, Cloudflare Workers, Deno, Bun, and other Web-interoperable environments).

This library trusts that the Web Cryptography implementations provided by the runtime are correct and secure. The library delegates all cryptographic operations (key generation, encryption, decryption, key derivation, etc.) to the runtime's Web Cryptography implementation and does not attempt to validate or verify the correctness of these underlying primitives during runtime.

The library assumes it is running in a trusted execution environment. The following are considered outside the scope of this library's threat model:

• Prototype pollution attacks: If an attacker can modify JavaScript prototypes, this is considered a vulnerability in the user's application code or the runtime environment, not in this library.
• Debugger access: If an attacker has debugger access to the running process, they can inspect memory, modify variables, and bypass security controls. This is a runtime-level compromise, not a library vulnerability.
• Runtime compromise: Attacks that compromise the JavaScript runtime itself (e.g., malicious runtime modifications, compromised Node.js binaries, malicious browser extensions with elevated privileges) are not considered attacks on this library.

This library delegates all cryptographic operations to the underlying Web Cryptography (or user-provided algorithm implementations). Any resistance to side-channel attacks (timing attacks, cache attacks, etc.) is entirely dependent on the underlying cryptographic implementations and is outside the scope of this library.

This library aims to provide the following security guarantees:

• Specification compliance: Correct implementation of Hybrid Public Key Encryption (HPKE) and Post-Quantum/Traditional Hybrid Algorithms for HPKE, validated against test vectors from the respective specifications.
• Nonce/sequence number handling: Proper management of nonces and sequence numbers as required by the HPKE specification to prevent nonce reuse.
• Input validation: Validation of inputs to prevent misuse of the API.

This library does not handle key storage. Users are responsible for securely storing, managing, and distributing cryptographic keys or input keying material.

This library does not guarantee that key material or other sensitive data is cleared from memory after use. As long as the user retains references to key objects, the key material may remain in memory. Secure memory management is the responsibility of the user and the runtime environment.

This library supports extensibility by allowing users to provide their own KEM, KDF, or AEAD implementations. The security of user-provided implementations is entirely the user's responsibility. This library does not validate the correctness or security of user-provided algorithm implementations.

This library aims to provide the security properties defined by the HPKE specification. For a detailed analysis of threat models, security properties, and security considerations, refer to Section 9 of HPKE.

The following are explicitly not considered vulnerabilities in this library:

• Prototype pollution (CWE-1321): Attacks that exploit JavaScript prototype pollution are considered vulnerabilities in user application code or the runtime, not this library.
• Object injection (CWE-915): Similar to prototype pollution, object injection attacks are outside the scope of this library.
• Debugger/inspector access (CWE-489): If an attacker can attach a debugger to the process, they have already compromised the runtime environment.
• Memory inspection: Reading process memory, heap dumps, or core dumps to extract key material is a runtime-level attack.
• Side-channel attacks (CWE-208): Timing attacks, cache attacks, and other side-channel vulnerabilities in the underlying Web Cryptography implementations are not vulnerabilities in this library.
• Compromised runtime environment: Malicious or backdoored JavaScript runtimes, compromised system libraries, or tampered Web Cryptography implementations.
• Supply chain attacks on the runtime (CWE-1357): Compromised Node.js binaries, malicious browser builds, or similar supply chain attacks on the execution environment.
• Supply chain attacks on third-party libraries (CWE-1357): hpke has zero dependencies. @panva/hpke-noble depends on @noble cryptographic libraries. Supply chain compromises of third-party dependencies (including @noble libraries or any user-provided algorithm implementations) are not considered vulnerabilities in this project.
• Denial of service via resource exhaustion (CWE-400): While the library validates inputs, it does not implement resource limits. Applications should implement their own rate limiting and resource management.
• Issues in user-provided algorithm implementations: Security flaws in custom KEM, KDF, or AEAD implementations provided by users are the user's responsibility.