EUVD-2025-18922
GHSA-h7cp-r72f-jxh6
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H
Lifecycle Timeline
4DescriptionNVD
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
AnalysisAI
CVE-2025-6545 is an improper input validation vulnerability in the pbkdf2 library (versions 3.0.10 through 3.1.2) affecting the lib/to-buffer.js file that enables signature spoofing through inadequate validation mechanisms. Attackers with network access and minimal attack complexity can compromise the integrity of PBKDF2-derived cryptographic signatures, potentially allowing unauthorized authentication or data tampering. The high CVSS score of 9.1 reflects critical integrity and scope impacts, though real-world exploitation likelihood depends on confirmation of active exploitation and proof-of-concept availability.
Technical ContextAI
PBKDF2 (Password-Based Key Derivation Function 2) is a widely-used cryptographic key derivation function standardized in RFC 2898, commonly employed in password hashing and signature generation workflows. The vulnerability resides in lib/to-buffer.js, which handles input conversion to buffer format—a critical preprocessing step before cryptographic operations. The root cause is CWE-20 (Improper Input Validation), indicating that the library fails to properly validate or sanitize input data before processing it through the PBKDF2 algorithm. This allows an attacker to craft malformed or unexpected input that bypasses validation checks, leading to signature spoofing where invalid signatures are accepted as legitimate. The affected CPE scope includes pbkdf2 package versions 3.0.10 through 3.1.2, commonly deployed in Node.js environments and web authentication systems.
Affected ProductsAI
pbkdf2 library versions 3.0.10, 3.0.11, 3.1.0, 3.1.1, and 3.1.2 are affected. CPE identifier: cpe:2.3:a:pbkdf2_project:pbkdf2:*:*:*:*:*:node.js:*:* with version constraints [3.0.10, 3.1.2]. This primarily affects Node.js applications and JavaScript/TypeScript projects that import pbkdf2 as a dependency. Secondary impact on any application or framework (Express.js, Next.js, Fastify, etc.) that transitively depends on pbkdf2 for authentication or signature validation. Web applications using pbkdf2 for OAuth token validation or JWT signature verification are particularly at risk.
RemediationAI
Immediate action: Update pbkdf2 to version 3.1.3 or later (post-patch version presumed available based on vulnerability disclosure). For npm-based projects: execute 'npm update pbkdf2' or specify '^3.1.3' in package.json and run 'npm install'. For yarn users: 'yarn upgrade pbkdf2@^3.1.3'. Verify the patch addresses lib/to-buffer.js input validation by reviewing the changelog or vendor advisory. Temporary mitigation if patching is delayed: implement additional input validation upstream of PBKDF2 calls, validate signature inputs against expected format before processing, or implement signature verification via alternate cryptographic libraries pending patch availability. Organizations should audit recent authentication logs for potential signature spoofing (failed or anomalous authentication attempts) if compromise window is unknown.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1108283| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 3.1.1-1 | - |
| bookworm, trixie | vulnerable | 3.1.2-3 | - |
| forky, sid | fixed | 3.1.5+~3.1.2-1 | - |
| (unstable) | fixed | 3.1.3+~3.1.2-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today