Two critical flaws (CVE-2025-6545, CVE-2025-6547, CVSS 9.1) in pbkdf2 npm package allow silent compromise of cryptographic keys. Update to 3.1.3+ immediately!
  • redsand@lemmy.dbzer0.comEnglish
    3·
    5 days ago

    Summary copy pasta

    A critical vulnerability in the pbkdf2 library affecting versions 3.0.10 through 3.1.2. The vulnerability involves improper input validation that can cause browserifying code to silently generate zero-filled cryptographic keys instead of proper ones, particularly when used in environments different from Node.js or test settings.

    So pretty bad. 8.1 out of ten for setting your crypto keys to match the US nuclear arsenal in the 80s