Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-6545
CVE-2025-6545:
JavaScript vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2025-6545) has been identified in pbkdf2, affecting versions from 3.0.10 through 3.1.2. The vulnerability is related to improper input validation in the lib/to-buffer.js file, which allows signature spoofing through improper validation. The issue was discovered and disclosed on June 23, 2025 (NVD, GitHub Advisory).
Technical details
The vulnerability stems from improper input validation that affects both unsupported algorithms (e.g., sha3-256, sha3-512, sha512-256) and supported but non-normalized algorithms (e.g., Sha256, Sha512, SHA1). In Node.js environments (with pbkdf2/browser import) and Bun environments, the vulnerability results in uninitialized memory being returned as Buffer.allocUnsafe is used. In browser environments, it returns zero-filled buffers, which are completely unacceptable as KDF output. The vulnerability has been assigned a CVSS v4.0 score of 9.1 (Critical) with the vector string: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H (GitHub Advisory).
Impact
The vulnerability's impact is critical as it can cause browserified code to silently generate zero-filled keys instead of proper ones, even for code that was previously working in Node.js or test environments. This affects require('crypto') in polyfilled mode, bundled code using Webpack/Vite, and specific implementations in Node.js and Bun environments. The vulnerability compromises cryptographic operations by returning predictable or uninitialized memory instead of secure cryptographic output (GitHub Advisory, Wiz).
Mitigation and workarounds
The vulnerability has been patched in version 3.1.3 and later. However, simply updating to a fixed version may not be sufficient. Users need to review and take action if they were using pbkdf2 library through crypto-browserify or directly with algorithms not from the literal string list. When targeting non-Node.js environments, it is recommended to avoid Node.js crypto polyfill entirely and instead use crypto.subtle and/or modern/audited cryptography primitives (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management