CVE-2023-46233

Name of the Vulnerable Software and Affected Versions crypto-js versions prior to 4.2.0

Description The crypto-js library has a weakened PBKDF2 configuration, which is 1,000 times weaker than originally specified in 1993 and at least 1,300,000 times weaker than the current industry standard. This is due to the default use of the insecure SHA1 hashing algorithm and a single iteration. The impact is high if used to protect passwords or generate signatures. The library has 10,642 public users, and the number of transient dependents is likely several orders of magnitude higher. A rough GitHub search shows 432 files using PBKDF2 in crypto-js without specifying any number of iterations.

Recommendations For versions prior to 4.2.0, configure crypto-js to use SHA256 with at least 250,000 iterations as a workaround. Update to version 4.2.0, which contains a patch for this issue.