SB2025062533 - Multiple vulnerabilities in PBKDF2
Published: June 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-6545)
The vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to application silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algorithm strings. A remote attacker can perform a spoofing attack.
2) Input validation error (CVE-ID: CVE-2025-6547)
The vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input as the application silently disregards Uint8Array input. A remote attacker can spoof signature.
Remediation
Install update from vendor's website.
References
- https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078
- https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb
- https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6
- https://github.com/browserify/pbkdf2/security/advisories/GHSA-v62p-rq8g-8h59