PT-2025-32241 · Unknown · Thinbus-Srp-Npm
Svenschindler
·
Published
2025-08-06
·
Updated
2025-08-07
·
CVE-2025-54885
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
thinbus-srp-npm versions 2.0.0 and below
Description
A protocol compliance bug exists in the Javascript Secure Remote Password implementation, specifically in the client's entropy generation. The client generates a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). This is due to the client public value being generated from a private value that is 4 bits below the specification, reducing the protocol's security margin and making it practically exploitable. The server utilizes a full-sized 2048-bit random number to create the shared session key and password proof.
Recommendations
Upgrade to version 2.0.1 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Thinbus-Srp-Npm