प्लेटफ़ॉर्म
nodejs
घटक
pbkdf2
में ठीक किया गया
3.1.3
3.1.3
CVE-2025-6545 is a critical vulnerability affecting the pbkdf2 polyfill used in Node.js and Bun. This vulnerability allows for the generation of highly predictable output when using unsupported or non-normalized algorithms, potentially compromising password security. The issue primarily impacts Node.js when using pbkdf2/browser and Bun when importing pbkdf2 directly, with browsers returning zero-filled buffers. Version 3.1.3 provides a fix for this issue.
CVE-2025-6545 affects the pbkdf2 library when imported as pbkdf2/browser in Node.js or directly as pbkdf2 in Bun. The issue stems from the use of Buffer.allocUnsafe, which doesn't initialize memory, leaving residual data. This results in highly predictable output, particularly when using unsupported algorithms (e.g., sha3-256, sha3-512, sha512-256) or supported but non-normalized algorithms (e.g., Sha256, Sha512, SHA1, sha-1, sha-256
Exploitation of this vulnerability requires access to the environment where the code using pbkdf2 is running. An attacker could inject malicious code to control the algorithm used or manipulate the input to force the use of a vulnerable algorithm. The risk is particularly high in web applications or services handling sensitive passwords or keys, as the predictability of the pbkdf2 output could allow decryption of protected data.
एक्सप्लॉइट स्थिति
EPSS
0.14% (34% शतमक)
CISA SSVC
The recommended solution is to update the pbkdf2 library to version 3.1.3 or higher. This version corrects the memory initialization issue. If an immediate update is not possible, avoid using unsupported or non-normalized algorithms. Additionally, review code using pbkdf2 to identify potential exposure points and apply additional security measures, such as using more robust salts and an adequate number of iterations to increase key derivation complexity.
Actualice la biblioteca pbkdf2 a una versión posterior a 3.1.2. Esto solucionará la vulnerabilidad de validación de entrada incorrecta. Puede actualizar la biblioteca utilizando npm o yarn.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
It's a JavaScript function that allocates memory without initializing it, potentially leaving remnants of previous data.
These are the specific configurations where the pbkdf2 library is imported in a way that utilizes Buffer.allocUnsafe.
Verify the version of the pbkdf2 library you are using. If it's below 3.1.3, it's vulnerable.
Avoid using unsupported or non-normalized algorithms and consider implementing additional security measures.
Currently, there are no specific tools to detect this vulnerability, but manual code review is recommended.
sha-512अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।