The "pbkdf2: <=3.1.2" refers to pbkdf2 NPM package <https://github.com/browserify/pbkdf2>.

This CVE-2025-6547 is about ignoring a password and a salt passed to a PBKDF2 function and returning a value as if an empty password and empty salt were given.

perl-PBKDF2-Tiny-0.005 is not affected:

$ perl -Ilib -MPBKDF2::Tiny=derive -e 'print derive(q{SHA-1}, q{password}, q{salt})' | hexdump -C
00000000  6e 88 be 8b ad 7e ae 9d  9e 10 aa 06 12 24 03 4f  |n....~.......$.O|
00000010  ed 48 d0 3f                                       |.H.?|
00000014
$ perl -Ilib -MPBKDF2::Tiny=derive -e 'print derive(q{SHA-1}, q{}, q{})' | hexdump -C
00000000  6e 40 91 0a c0 2e c8 9c  eb b9 d8 98 b1 3a 09 d1  |n@...........:..|
00000010  cd 7a df 6f                                       |.z.o|
00000014

What happens if no password or salt argument is specified:

$ perl -Ilib -MPBKDF2::Tiny=derive -e 'print derive(q{SHA-1})' | hexdump -C
00000000  6e 40 91 0a c0 2e c8 9c  eb b9 d8 98 b1 3a 09 d1  |n@...........:..|
00000010  cd 7a df 6f                                       |.z.o|
00000014

is documented in PBKDF2::Tiny:

    If a password or salt are not provided, they default to the empty
    string, so don't do that!