PT-2025-26634 · Node.Js +2 · Node.Js +2
Chalker
·
Published
2025-06-23
·
Updated
2025-08-08
·
CVE-2025-6545
10
Critical
| Base vector | Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
pbkdf2 versions 3.0.10 through 3.1.2
Description:
The issue is related to an Improper Input Validation vulnerability in pbkdf2, allowing Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.js. The vulnerability is caused by the silent return of predictable uninitialized or zero-filled memory for non-normalized or unimplemented algorithms supported by Node.js.
Recommendations:
For versions 3.0.10 through 3.1.2, update to a version that fixes the Improper Input Validation vulnerability to prevent Signature Spoofing.
As a temporary workaround, consider restricting the use of non-normalized or unimplemented algorithms supported by Node.js until a patch is available.
Fix
RCE
Weakness Enumeration
Related Identifiers
Affected Products
References · 21
- https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb⭐ 196 🔗 55 · Patch
- https://security-tracker.debian.org/tracker/CVE-2025-6545 · Vendor Advisory
- https://osv.dev/vulnerability/UBUNTU-CVE-2025-6545 · Vendor Advisory
- https://osv.dev/vulnerability/CVE-2025-6545 · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2025-6545 · Security Note
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6545 · Security Note
- https://security-tracker.debian.org/tracker/source-package/node-pbkdf2 · Vendor Advisory
- https://osv.dev/vulnerability/GHSA-h7cp-r72f-jxh6 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-6545 · Security Note
- https://bdu.fstec.ru/vul/2025-07453 · Security Note
- https://ubuntu.com/security/CVE-2025-6545 · Vendor Advisory
- https://github.com/browserify/pbkdf2⭐ 194 🔗 55 · Note
- https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078⭐ 194 🔗 55 · Note
- https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6⭐ 194 🔗 55 · Note
- https://t.me/cvetracker/26866 · Telegram Post