CVE-2025-54885
BaseFortify
Publication date: 2025-08-07
Last updated on: 2025-08-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinbus | thinbus-srp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a protocol compliance bug in Thinbus Javascript Secure Remote Password (SRP6a) versions 2.0.0 and below. The client generates a private value with only 252 bits of entropy instead of the intended 2048 bits, which is 4 bits below the specification. This reduces the security margin of the protocol, making it practically exploitable. The server still uses the full 2048-bit random number for the shared session key and password proof. The issue is fixed in version 2.0.1.
How can this vulnerability impact me? :
Because the client generates a private value with significantly reduced entropy, an attacker could exploit this weakness to compromise the security of the authentication process. This could lead to unauthorized access or session hijacking, undermining the confidentiality and integrity of user credentials and sessions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Thinbus Javascript Secure Remote Password to version 2.0.1 or later, as this version fixes the protocol compliance bug causing reduced entropy in the client private value.