CVE-2025-6545
Vulnerability
CVE-2025-6545
pbkdf2: pbkdf2 silently returns predictable key material
ecosystem: redhat:7, redhat:8A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security guarantees of the package.
References
- secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2025-6545
- secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2374370
- secalert@redhat.com: https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078
- secalert@redhat.com: https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb
- secalert@redhat.com: https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6
- secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2025-6545
- secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2025-6545
type: vendor
source: secalert@redhat.com
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
| AV | Network | |
|---|---|---|
| AC | High | |
| PR | None | |
| UI | None | |
| S | Not Changed | |
| C | High | |
| I | High | |
| A | High |
source: secalert@redhat.com
Improper Input Validation
source: secalert@redhat.com
published: 2025-06-23 18:41:18
modified: 2025-07-15 14:14:00
Detection
OR
firefox
package type: source
thunderbird
package type: source
tag: rhel-7-extras-including-unpatched:37f3937f-8123-7add-abf7-cf9f6a1e892e
OR
mozjs60
package type: source
tag: rhel-8-including-unpatched:882fc17d-ce8d-8230-a24e-b80dc059e3d7
Data Sources
- RedHat Enterprise Linux CSAF VEX
redhat-vex
