CVE-2025-54885 Thinbus generates insufficient entropy: 252 bits vs minimum 256 bits

Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime defaulted t...

GHSA-8Q6V-474H-WHGG The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended

Impact A protocol compliance bug in thinbus-srp-npm versions prior to 2.0.1 causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime defaulted to 2048 bits. RFC 5054 states in section 2.5.4 Client Key Exchange The client key exchange message...

PT-2025-32241 · Unknown · Thinbus-Srp-Npm

Name of the Vulnerable Software and Affected Versions: thinbus-srp-npm versions 2.0.0 and below Description: A protocol compliance bug exists in the Javascript Secure Remote Password implementation, specifically in the client's entropy generation. The client generates a fixed 252 bits of entropy...