Bug 2374370 (CVE-2025-6545)

Summary: CVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key material
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, bdettelb, bkabrda, caswilli, cdaley, chfoley, cmiranda, dhanak, doconnor, drosa, dsimansk, erack, eric.wittmann, gmalinko, gotiwari, ibek, janstey, jcantril, jchui, jhe, jhorak, jkoehler, jrokos, jscholz, jwendell, kaycoth, kingland, ktsao, kverlaen, lball, lchilton, lphiri, matzew, mnovotny, mvyas, nboldt, ngough, nipatil, pantinor, pcongius, pdelbell, periklis, pjindal, ppisar, psrna, rcernich, rkubis, rojacob, rstepani, sausingh, sdawley, sfeifer, swoodman, teagle, tpopela, veshanka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security guarantees of the package.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2374433, 2374435, 2374439, 2374443, 2374449, 2374451, 2374455, 2374461, 2374463, 2374465, 2374431, 2374437, 2374441, 2374445, 2374447, 2374453, 2374457, 2374459, 2374464    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-23 19:01:16 UTC 
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.

This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Comment 2 Petr Pisar 2025-06-24 07:51:38 UTC 
This report refers to pbkdf2 NPM package <https://github.com/browserify/pbkdf2> and this <https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6> advisory about handling an unknown digest algorithm with returning a static value instead of raising an error.
Comment 3 Petr Pisar 2025-06-24 07:52:33 UTC 
perl-PBKDF2-Tiny-0.005 is not affected:

$ perl -Ilib -MPBKDF2::Tiny=derive -e 'print derive(q{foo})' | hexdump -C
Digest function 'foo' not supported at -e line 1.