Skip to main content

Red Hat CVE-2025-6545

| EUVDEUVD-2025-18922 CRITICAL
Improper Input Validation (CWE-20)
2025-06-23 7ffcee3d-2c14-4c3e-b844-86c6a321a158 GHSA-h7cp-r72f-jxh6
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H
Ubuntu
MEDIUM
qualitative
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.1 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18922
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 19:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.

This issue affects pbkdf2: from 3.0.10 through 3.1.2.

AnalysisAI

CVE-2025-6545 is an improper input validation vulnerability in the pbkdf2 library (versions 3.0.10 through 3.1.2) affecting the lib/to-buffer.js file that enables signature spoofing through inadequate validation mechanisms. Attackers with network access and minimal attack complexity can compromise the integrity of PBKDF2-derived cryptographic signatures, potentially allowing unauthorized authentication or data tampering. The high CVSS score of 9.1 reflects critical integrity and scope impacts, though real-world exploitation likelihood depends on confirmation of active exploitation and proof-of-concept availability.

Technical ContextAI

PBKDF2 (Password-Based Key Derivation Function 2) is a widely-used cryptographic key derivation function standardized in RFC 2898, commonly employed in password hashing and signature generation workflows. The vulnerability resides in lib/to-buffer.js, which handles input conversion to buffer format—a critical preprocessing step before cryptographic operations. The root cause is CWE-20 (Improper Input Validation), indicating that the library fails to properly validate or sanitize input data before processing it through the PBKDF2 algorithm. This allows an attacker to craft malformed or unexpected input that bypasses validation checks, leading to signature spoofing where invalid signatures are accepted as legitimate. The affected CPE scope includes pbkdf2 package versions 3.0.10 through 3.1.2, commonly deployed in Node.js environments and web authentication systems.

Affected ProductsAI

pbkdf2 library versions 3.0.10, 3.0.11, 3.1.0, 3.1.1, and 3.1.2 are affected. CPE identifier: cpe:2.3:a:pbkdf2_project:pbkdf2:*:*:*:*:*:node.js:*:* with version constraints [3.0.10, 3.1.2]. This primarily affects Node.js applications and JavaScript/TypeScript projects that import pbkdf2 as a dependency. Secondary impact on any application or framework (Express.js, Next.js, Fastify, etc.) that transitively depends on pbkdf2 for authentication or signature validation. Web applications using pbkdf2 for OAuth token validation or JWT signature verification are particularly at risk.

RemediationAI

Immediate action: Update pbkdf2 to version 3.1.3 or later (post-patch version presumed available based on vulnerability disclosure). For npm-based projects: execute 'npm update pbkdf2' or specify '^3.1.3' in package.json and run 'npm install'. For yarn users: 'yarn upgrade pbkdf2@^3.1.3'. Verify the patch addresses lib/to-buffer.js input validation by reviewing the changelog or vendor advisory. Temporary mitigation if patching is delayed: implement additional input validation upstream of PBKDF2 calls, validate signature inputs against expected format before processing, or implement signature verification via alternate cryptographic libraries pending patch availability. Organizations should audit recent authentication logs for potential signature spoofing (failed or anomalous authentication attempts) if compromise window is unknown.

Vendor StatusVendor

Ubuntu

Priority: Medium
node-pbkdf2
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage
oracular ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1108283
node-pbkdf2
Release Status Fixed Version Urgency
bullseye vulnerable 3.1.1-1 -
bookworm, trixie vulnerable 3.1.2-3 -
forky, sid fixed 3.1.5+~3.1.2-1 -
(unstable) fixed 3.1.3+~3.1.2-1 -

SUSE

Severity: High
Product Status
Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-SAP Image SLES15-SP4-SAP-BYOS Image SLES15-SP4-SAP-BYOS-EC2 Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-Hardened-BYOS Image SLES15-SP4-SAP-Hardened-BYOS-EC2 Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-EC2 Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-SAP-BYOS-EC2 Image SLES15-SP5-SAP-Hardened-BYOS-EC2 Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-EC2 Image SLES15-SP6-EC2-ECS-HVM Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-SAP-BYOS Image SLES15-SP6-SAP-BYOS-EC2 Image SLES15-SP6-SAP-EC2 Image SLES15-SP6-SAP-Hardened-BYOS Image SLES15-SP6-SAP-Hardened-BYOS-EC2 Image SLES15-SP6-SAP-Hardened-EC2 Image SLES15-SP6-SAPCAL-EC2 Image SLES15-SP7-BYOS-EC2 Image SLES15-SP7-EC2 Image SLES15-SP7-EC2-ECS-HVM Image SLES15-SP7-HPC-BYOS-EC2 Image SLES15-SP7-Hardened-BYOS-EC2 Image SLES15-SP7-SAP-BYOS-EC2 Image SLES15-SP7-SAP-EC2 Image SLES15-SP7-SAP-Hardened-BYOS-EC2 Image SLES15-SP7-SAPCAL-EC2 Affected
Image SLES15-SP5-Manager-Server-5-0-EC2-llc Image SLES15-SP5-Manager-Server-5-0-EC2-ltd Affected
Image SLES15-SP5-Manager-Server-5-0 Image SLES15-SP5-Manager-Server-5-0-Azure-llc Image SLES15-SP5-Manager-Server-5-0-Azure-ltd Affected
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Module for Python 3 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed

Share

CVE-2025-6545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy