Skip to main content

Red Hat CVE-2025-6547

| EUVDEUVD-2025-28751 CRITICAL
Improper Input Validation (CWE-20)
2025-06-23 7ffcee3d-2c14-4c3e-b844-86c6a321a158 GHSA-v62p-rq8g-8h59
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
Ubuntu
MEDIUM
qualitative
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.1 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-28751
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 19:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

AnalysisAI

CVE-2025-6547 is an improper input validation vulnerability in the pbkdf2 cryptographic library (versions ≤3.1.2) that allows attackers to spoof cryptographic signatures through inadequate validation mechanisms. This affects any application using vulnerable pbkdf2 versions for password hashing or key derivation, potentially compromising authentication and integrity verification. With a CVSS score of 9.1 and high integrity/signature impact ratings, this vulnerability has significant real-world implications for systems relying on pbkdf2 for security-critical operations.

Technical ContextAI

PBKDF2 (Password-Based Key Derivation Function 2) is a standardized key derivation function defined in RFC 2898, commonly used for password hashing and cryptographic key generation. The vulnerability stems from CWE-20 (Improper Input Validation), indicating that the library fails to properly validate inputs before processing them in cryptographic operations. This inadequate validation allows attackers to manipulate input parameters or bypass verification checks, leading to signature spoofing—a critical failure where an attacker can forge valid-appearing signatures without possessing the correct cryptographic key. The affected CPE scope includes pbkdf2 library implementations through version 3.1.2. The vulnerability appears in the signature validation logic rather than the core key derivation algorithm itself, suggesting the issue lies in how derived keys are verified or how signature operations handle their inputs.

Affected ProductsAI

  • product: pbkdf2; affected_versions: ≤3.1.2; severity: Critical; notes: All implementations of pbkdf2 library at version 3.1.2 and earlier are vulnerable. This includes Node.js pbkdf2, Python pbkdf2, and other language-specific implementations of the PBKDF2 standard.

RemediationAI

  • action: Upgrade pbkdf2 library; target_version: >3.1.2; details: Immediate patching is required. Update to the latest stable version of pbkdf2 from the official repository or package manager (npm, pip, etc. depending on language/framework).
  • action: Validate input sanitization; details: Implement strict input validation at the application layer for all cryptographic operations, particularly signature verification and key derivation parameters. Do not rely solely on library input handling.
  • action: Implement cryptographic key rotation; details: If signature spoofing has occurred, rotate all cryptographic keys and re-verify integrity of signed data generated during the vulnerable period.
  • action: Audit signature verification logic; details: Review application code using pbkdf2 for signature operations. Ensure proper constant-time comparison and complete validation of all signature parameters.
  • action: Monitor for exploitation; details: Check security logs and audit trails for suspicious signature validation failures, unexpected authentication bypasses, or tampered data integrity checks during periods when vulnerable pbkdf2 versions were in use.

Vendor StatusVendor

Ubuntu

Priority: Medium
node-pbkdf2
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage

Debian

node-pbkdf2
Release Status Fixed Version Urgency
bullseye fixed 3.1.1-1 -
bookworm, trixie fixed 3.1.2-3 -
forky, sid fixed 3.1.5+~3.1.2-1 -
(unstable) not-affected - -

SUSE

Severity: High
Product Status
Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-SAP Image SLES15-SP4-SAP-BYOS Image SLES15-SP4-SAP-BYOS-EC2 Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-Hardened-BYOS Image SLES15-SP4-SAP-Hardened-BYOS-EC2 Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-EC2 Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-SAP-BYOS-EC2 Image SLES15-SP5-SAP-Hardened-BYOS-EC2 Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-EC2 Image SLES15-SP6-EC2-ECS-HVM Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-SAP-BYOS Image SLES15-SP6-SAP-BYOS-EC2 Image SLES15-SP6-SAP-EC2 Image SLES15-SP6-SAP-Hardened-BYOS Image SLES15-SP6-SAP-Hardened-BYOS-EC2 Image SLES15-SP6-SAP-Hardened-EC2 Image SLES15-SP6-SAPCAL-EC2 Image SLES15-SP7-BYOS-EC2 Image SLES15-SP7-EC2 Image SLES15-SP7-EC2-ECS-HVM Image SLES15-SP7-HPC-BYOS-EC2 Image SLES15-SP7-Hardened-BYOS-EC2 Image SLES15-SP7-SAP-BYOS-EC2 Image SLES15-SP7-SAP-EC2 Image SLES15-SP7-SAP-Hardened-BYOS-EC2 Image SLES15-SP7-SAPCAL-EC2 Affected
Image SLES15-SP5-Manager-Server-5-0-EC2-llc Image SLES15-SP5-Manager-Server-5-0-EC2-ltd Affected
Image SLES15-SP5-Manager-Server-5-0 Image SLES15-SP5-Manager-Server-5-0-Azure-llc Image SLES15-SP5-Manager-Server-5-0-Azure-ltd Affected
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Module for Python 3 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed

Share

CVE-2025-6547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy