CRITICALCVE-2025-6547CVSS 9.5

CVE-2025-6547: PBKDF2 Input Vulnerability in Node.js

Q: What is CVE-2025-6547 — pbkdf2 Input Vulnerability in Node.js?

CVE-2025-6547 is a critical vulnerability in Node.js versions below 3.1.3 where the pbkdf2 module silently accepts Uint8Array input, weakening password hashing.

Q: Am I affected by CVE-2025-6547 in Node.js?

You are affected if you are using Node.js versions 0.12 through 2.x. Check your Node.js version with `node -v`.

Q: How do I fix CVE-2025-6547 in Node.js?

Upgrade to Node.js version 3.1.3 or later to resolve this vulnerability. Ensure your dependencies are also up-to-date.

Q: Is CVE-2025-6547 being actively exploited?

While there are no confirmed active campaigns, the public disclosure increases the risk of exploitation. Monitor your systems closely.

Q: Where can I find the official Node.js advisory for CVE-2025-6547?

Refer to the Node.js security advisories at https://nodejs.org/en/security/ for the latest information and updates.

Platform

nodejs

Component

pbkdf2

Fixed in

1.0.1

3.1.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-6547 is a critical vulnerability affecting historic, yet still supported, versions of Node.js (0.12 - 2.x). This flaw resides within the pbkdf2 module, where it silently disregards Uint8Array input, potentially weakening password hashing. Affected versions include Node.js releases prior to 3.1.3, and a fix has been released.

Impact and Attack Scenarios

The core impact of CVE-2025-6547 lies in the potential for significantly weakened password hashing. When pbkdf2 silently accepts Uint8Array input instead of the expected string or buffer, it bypasses crucial type checking and validation. This can lead to the use of shorter, less secure hashes, making password cracking substantially easier. Attackers could exploit this vulnerability to compromise user accounts and gain unauthorized access to sensitive data. The silent nature of the bypass makes detection difficult without specific monitoring.

Exploitation Context

CVE-2025-6547 has been publicly disclosed and is considered a high-probability exploit due to the ease of exploitation and the potential impact. There are currently no known active campaigns targeting this vulnerability, but the availability of the public disclosure increases the risk of exploitation. This CVE was added to the CISA KEV catalog on an unspecified date.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

NextGuard100% still vulnerable

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

Affected Software

Componentpbkdf2

Vendorosv

Affected rangeFixed in

>= 1 <=3.1.2 – >= 1 <=3.1.21.0.1

1.0.03.1.3

Weakness Classification (CWE)

CWE-20

Timeline

Reserved2025-06-23
Published2025-06-23
Modified2026-02-22
EPSS updated2026-03-23

Patched -2 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-6547 is to upgrade to Node.js version 3.1.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter input validation within your application code to ensure that pbkdf2 only receives string or buffer inputs. While a WAF cannot directly address this vulnerability, it can help detect and block malicious requests attempting to exploit it. There are no specific Sigma or YARA rules available for this vulnerability at this time.

How to fix

Update the pbkdf2 dependency to a version later than 3.1.2. This will fix the incorrect input validation vulnerability. See advisory GHSA-v62p-rq8g-8h59 for more details.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-6547 — pbkdf2 Input Vulnerability in Node.js?