CVE-2025-6547: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2025-6547 is an Improper Input Validation issue affecting pbkdf2 versions 3.1.2 and earlier, discovered and disclosed on June 23, 2025. This security flaw exists in the pbkdf2 cryptographic library, where improper validation mechanisms allow for Signature Spoofing (NVD, GitHub Advisory).

The vulnerability is classified with a CVSS v4.0 Base Score of 9.1 (Critical) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H. The issue specifically affects the input validation mechanisms in pbkdf2, where on Node.js versions prior to 3.0.0, the library silently disregards Uint8Array input, resulting in static keys being generated instead of proper cryptographic outputs (GitHub Advisory, Wiz).

The vulnerability's impact is severe as it can lead to static hashes being outputted and used as keys/passwords, which completely undermines security. When exploited, the vulnerability affects both the integrity and subsequent system security, potentially compromising cryptographic operations that rely on the pbkdf2 implementation (GitHub Advisory).

The vulnerability has been patched in version 3.1.3 of pbkdf2. Users are strongly advised to upgrade to this version or later. For systems that cannot be immediately updated, it is recommended to verify and potentially regenerate any keys that were previously generated using pbkdf2 with Uint8Array inputs on affected Node.js versions (GitHub Advisory).