CVE-2025-6547

Improper Input Validation (CWE-20)

Published: Jun 23, 2025 / Updated: 2d ago

GitHub Security Advisory: GHSA-v62p-rq8g-8h59 Release Date: 2025-06-23 Update Date: 2025-06-23 Severity: Critical CVE-2025-6547 Package Information Package: pbkdf2 Affected Versions: Patched Versions: 3.1.3 Description Static hashes being outputted and used as keys/passwords can completely undermine security That said, no one should be using those Node.js versions anywhere now, so I would recommend to just drop them This lib should not pretend to work on those versions while outputting static data though Just updating to a fixed version is not enough: if anyone was using pbkdf2 lib (do not confuse with Node.js crypto.pbkdf2) or anything depending on it with Node.js/io.js Details The error is in toBuffer method This vulnerability somehow even made it to tests: browserify/pbkdf2@eb9f97a There, resultsOld (where mismatch results) are just invalid output generated from empty password/salt instead of the supplied one Poc On Node.js/io.js require('pbkdf2').pbkdf2Sync(new Uint8Array([1,2,3]), new Uint8Array([1,3,4]), 1024, 32, 'sha256')

The vulnerability allows a remote attacker to perform a spoofing attack. Risk Medium Patch available YES Number of vulnerabilities 2 CVE-ID CVE-2025-6547

Critical Severity Description Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: Read more at https://www.tenable.com/cve/CVE-2025-6547

CVE Id: CVE-2025-6547 Release Date: 2025-06-23 Update Date: 2025-06-23 Impact Important CVSS Base Score: 8.1 Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Description No description is available for this CVE. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

GitHub Security Advisory: GHSA-v62p-rq8g-8h59 Release Date: 2025-06-23 Update Date: 2025-06-23 Severity: Critical CVE-2025-6547 Package Information Package: pbkdf2 Affected Versions: Patched Versions: 3.1.3 Description Static hashes being outputted and used as keys/passwords can completely undermine security That said, no one should be using those Node.js versions anywhere now, so I would recommend to just drop them This lib should not pretend to work on those versions while outputting static data though Just updating to a fixed version is not enough: if anyone was using pbkdf2 lib (do not confuse with Node.js crypto.pbkdf2) or anything depending on it with Node.js/io.js Details The error is in toBuffer method This vulnerability somehow even made it to tests: browserify/pbkdf2@eb9f97a There, resultsOld (where mismatch results) are just invalid output generated from empty password/salt instead of the supplied one Poc On Node.js/io.js require('pbkdf2').pbkdf2Sync(new Uint8Array([1,2,3]), new Uint8Array([1,3,4]), 1024, 32, 'sha256')

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: