CVE-2025-6545
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-06-23
Assigner: harborist
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6545 is a critical vulnerability in the pbkdf2 npm package versions 3.0.10 through 3.1.2 that arises from improper input validation and handling of cryptographic algorithms in polyfilled environments like browserify and Bun. When unsupported or non-normalized algorithm names (e.g., sha3-256, SHA-1, sha-512) are used, the pbkdf2 polyfill returns predictable, insecure outputs instead of correct derived keys. In browsers, this results in zero-filled buffers, and in Node.js polyfilled environments, it can leak uninitialized memory. This flaw allows attackers to spoof signatures and compromises the security of cryptographic key derivation without any error or warning. [3]
How can this vulnerability impact me? :
This vulnerability can critically impact you by causing your applications to generate weak, predictable, or even sensitive data-leaking cryptographic keys when using pbkdf2 in polyfilled environments with unsupported or improperly formatted algorithm names. This undermines the confidentiality and integrity of cryptographic operations such as password hashing or key generation, potentially allowing attackers to spoof signatures or compromise secure communications. The vulnerability requires no privileges or user interaction and can be exploited remotely, making it highly dangerous. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your environment uses the vulnerable pbkdf2 versions (>=3.0.10 and <=3.1.2) in polyfilled environments such as browserify, crypto-browserify, or Bun. You can test for the vulnerability by running pbkdf2 with unsupported or non-normalized algorithm names (e.g., 'sha3-256', 'SHA-1', 'sha-256') and verifying if the output is predictable (zero-filled buffers in browsers or uninitialized memory in Node.js polyfills). A practical detection method is to compare the derived key output of pbkdf2 in your environment against the expected output from the native Node.js pbkdf2Sync function using supported algorithms. If the outputs differ or are zero/uninitialized buffers, the vulnerability is present. Specific commands depend on your environment, but for Node.js you can write a test script invoking pbkdf2 with various algorithm names and check outputs. No explicit commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the pbkdf2 package to version 3.1.3 or later, where the vulnerability is patched. Additionally, audit your codebase to ensure that only supported and normalized cryptographic algorithm names are used (e.g., 'sha1', 'sha256', 'sha512' in lowercase and without variations). Avoid using Node.js crypto polyfills in non-Node.js environments and prefer modern, audited cryptographic primitives such as crypto.subtle in browsers. These steps will prevent the generation of predictable or insecure derived keys and protect cryptographic operations. [3]