pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
अनुवाद हो रहा है…प्लेटफ़ॉर्म
nodejs
घटक
pbkdf2
में ठीक किया गया
3.1.3
3.1.3
CVE-2025-6545 is a critical vulnerability affecting the pbkdf2 polyfill used in Node.js and Bun. This vulnerability allows for the generation of highly predictable output when using unsupported or non-normalized algorithms, potentially compromising password security. The issue primarily impacts Node.js when using pbkdf2/browser and Bun when importing pbkdf2 directly, with browsers returning zero-filled buffers. Version 3.1.3 provides a fix for this issue.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
CVE-2025-6545 affects the pbkdf2 library when imported as pbkdf2/browser in Node.js or directly as pbkdf2 in Bun. The issue stems from the use of Buffer.allocUnsafe, which doesn't initialize memory, leaving residual data. This results in highly predictable output, particularly when using unsupported algorithms (e.g., sha3-256, sha3-512, sha512-256) or supported but non-normalized algorithms (e.g., Sha256, Sha512, SHA1, sha-1, sha-256, sha-512). The CVSS severity is 9.5, indicating a critical risk. An attacker could exploit this vulnerability to compromise the security of passwords or cryptographic keys derived using this library.
शोषण संदर्भअनुवाद हो रहा है…
Exploitation of this vulnerability requires access to the environment where the code using pbkdf2 is running. An attacker could inject malicious code to control the algorithm used or manipulate the input to force the use of a vulnerable algorithm. The risk is particularly high in web applications or services handling sensitive passwords or keys, as the predictability of the pbkdf2 output could allow decryption of protected data.
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.14% (34% शतमक)
CISA SSVC
प्रभावित सॉफ्टवेयर
पैकेज जानकारी
- अंतिम अपडेट
- 3.1.58 महीने पहले
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The recommended solution is to update the pbkdf2 library to version 3.1.3 or higher. This version corrects the memory initialization issue. If an immediate update is not possible, avoid using unsupported or non-normalized algorithms. Additionally, review code using pbkdf2 to identify potential exposure points and apply additional security measures, such as using more robust salts and an adequate number of iterations to increase key derivation complexity.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice la biblioteca pbkdf2 a una versión posterior a 3.1.2. Esto solucionará la vulnerabilidad de validación de entrada incorrecta. Puede actualizar la biblioteca utilizando npm o yarn.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-6545 in pbkdf2?
It's a JavaScript function that allocates memory without initializing it, potentially leaving remnants of previous data.
Am I affected by CVE-2025-6545 in pbkdf2?
These are the specific configurations where the pbkdf2 library is imported in a way that utilizes Buffer.allocUnsafe.
How do I fix CVE-2025-6545 in pbkdf2?
Verify the version of the pbkdf2 library you are using. If it's below 3.1.3, it's vulnerable.
Is CVE-2025-6545 being actively exploited?
Avoid using unsupported or non-normalized algorithms and consider implementing additional security measures.
Where can I find the official pbkdf2 advisory for CVE-2025-6545?
Currently, there are no specific tools to detect this vulnerability, but manual code review is recommended.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।