234 matches found
EUVD-2024-0777
Malicious code in bioql PyPI...
Security Bulletin: Multiple vulnerabilities in pbkdf2 affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-6545 and CVE-2025-6547)
Summary There are multiple vulnerabilities in pbkdf2 used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-6547 DESCRIPTION: Improper Input Validation vulnerability...
NeuVector has an insecure password storage and is vulnerable to rainbow attack
Impact NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack offline attack where hashes of known passwords are precomputed. NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2...
PT-2026-36987
Name of the Vulnerable Software and Affected Versions net-imap affected versions not specified Description A hostile IMAP server can trigger a computational denial-of-service attack on the client process during authentication using SCRAM-SHA1 or SCRAM-SHA256. By sending an arbitrarily large PBKDF...
Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to loss of confidentiality [CVE-2025-6545] [CVE-2025-6547]
Summary Node.js module pbkdf2 is used by IBM App Connect Enterprise Certified Container when accessing BAR files stored in COS S3 storage. IBM App Connect Enterprise Certified Container Dashboard operands that access BAR files stored in COS S3 storage are vulnerable to loss of confidentiality. Th...
Signature Spoofing
pbkdf2 is vulnerable to Signature Spoofing. The vulnerability is due to improper input validation in the lib/to-buffer.js file, which allows an attacker to bypass signature verification and spoof cryptographic signatures, making malicious data appear authentic...
Signature Spoofing
pbkdf2 is vulnerable to Signature Spoofing. The vulnerability is due to improper validation of input parameters within the pbkdf2 library, allows an attacker to forge or spoof digital signatures, potentially bypassing authentication or integrity checks...
The vulnerability of the pbkdf2 library in the Node.js software platform, which allows attackers to forge digital signatures
The vulnerability of the pbkdf2 library in the Node.js software platform is related to deficiencies in the mechanism for verifying input data. Exploiting this vulnerability allows a malicious actor to forge digital signatures by sending specially crafted packets...
SUSE CVE-2025-6545
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2...
SUSE CVE-2025-6547
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: =3.1.2...
CVE-2025-6547
A flaw was found in the npm pbkdf2 library, allowing signature spoofing. Under specific use cases, pbkdf2 may return static keys. This issue only occurs when running the library on Node.js...
CVE-2025-6545
A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security...
org.webjars.npm:ethereum-cryptography (=0.1.3), org.webjars.npm:parse-asn1 (>=5.0.0 <=5.1.6) potentially affected by CVE-2025-6547 via org.webjars.npm:pbkdf2 (=3.1.2)
org.webjars.npm:pbkdf2 MAVEN version =3.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:pbkdf2 and may be impacted: - org.webjars.npm:ethereum-cryptography =0.1.3 - org.webjars.npm:parse-asn1 =5.0.0, =5.1.6 Source cves: CVE-2025-654...
@0cfg/utils-node (>=0.1.2 <=0.1.8), @b0ase/path402-api (=4.0.0-alpha.1) +262 more potentially affected by CVE-2025-6547 via pbkdf2 (>=3.0.12 <=3.1.2)
pbkdf2 NPM version =3.0.12, =0.1.2, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =2.38.0, =1.45.0, =1.1.14, =1.20.2, =1.3.13, =3.8.1, =4.26.0 and more Source cves: CVE-2025-6547 Source advisory: OSV:GHSA-V62P-RQ8G-8H59...
Generation of Predictable Numbers or Identifiers
Overview Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the toBuffer function. An attacker can predict cryptographic keys that were generated using Uint8Array inputs on affected Node.js versions, leading to compromised security of derived...
GHSA-V62P-RQ8G-8H59 pbkdf2 silently disregards Uint8Array input, returning static keys
Summary On historic but declared as supported Node.js versions 0.12-2.x, pbkdf2 silently disregards Uint8Array input This only affects Node.js = 0.12 and there seems to be ongoing effort in this repo to maintain that Support Uint8Array input input is typechecked against Uint8Array, and the error...
pbkdf2 silently disregards Uint8Array input, returning static keys
Summary On historic but declared as supported Node.js versions 0.12-2.x, pbkdf2 silently disregards Uint8Array input This only affects Node.js = 0.12 and there seems to be ongoing effort in this repo to maintain that Support Uint8Array input input is typechecked against Uint8Array, and the error...
org.webjars.npm:ethereum-cryptography (=0.1.3), org.webjars.npm:parse-asn1 (>=5.0.0 <=5.1.6) potentially affected by CVE-2025-6545 via org.webjars.npm:pbkdf2 (=3.1.2)
org.webjars.npm:pbkdf2 MAVEN version =3.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:pbkdf2 and may be impacted: - org.webjars.npm:ethereum-cryptography =0.1.3 - org.webjars.npm:parse-asn1 =5.0.0, =5.1.6 Source cves: CVE-2025-654...
GHSA-H7CP-R72F-JXH6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
Summary This affects both: 1. Unsupported algos e.g. sha3-256 / sha3-512 / sha512-256 2. Supported but non-normalized algos e.g. Sha256 / Sha512 / SHA1 / sha-1 / sha-256 / sha-512 All of those work correctly in Node.js, but this polyfill silently returns highly predictable ouput Under Node.js onl...
CVE-2025-6545
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2...