Bug 2374370 (CVE-2025-6545) - CVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key material
Summary: CVE-2025-6545 pbkdf2: pbkdf2 silently returns predictable key material
Keywords:
Status: NEW
Alias: CVE-2025-6545
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL: https://github.com/browserify/pbkdf2/...
Whiteboard:
Depends On: 2374433 2374435 2374439 2374443 2374449 2374451 2374455 2374461 2374463 2374465 2374431 2374437 2374441 2374445 2374447 2374453 2374457 2374459 2374464
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-23 19:01 UTC by OSIDB Bzimport
Modified: 2025-06-24 12:35 UTC (History)
56 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-23 19:01:16 UTC 
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.

This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Comment 2 Petr Pisar 2025-06-24 07:51:38 UTC 
This report refers to pbkdf2 NPM package <https://github.com/browserify/pbkdf2> and this <https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6> advisory about handling an unknown digest algorithm with returning a static value instead of raising an error.
Comment 3 Petr Pisar 2025-06-24 07:52:33 UTC 
perl-PBKDF2-Tiny-0.005 is not affected:

$ perl -Ilib -MPBKDF2::Tiny=derive -e 'print derive(q{foo})' | hexdump -C
Digest function 'foo' not supported at -e line 1.
Note You need to log in before you can comment on or make changes to this bug.