A critical vulnerability in the pbkdf2 library affecting versions 3.0.10 through 3.1.2. The vulnerability involves improper input validation that can cause browserifying code to silently generate zero-filled cryptographic keys instead of proper ones, particularly when used in environments different from Node.js or test settings.
So pretty bad. 8.1 out of ten for setting your crypto keys to match the US nuclear arsenal in the 80s
threaded - newest
Paywalled.
Sorry. It was not paywalled for me when I first saw. More info from different source: feedly.com/cve/CVE-2025-6545
feedly.com/cve/CVE-2025-6547
Summary copy pasta
A critical vulnerability in the pbkdf2 library affecting versions 3.0.10 through 3.1.2. The vulnerability involves improper input validation that can cause browserifying code to silently generate zero-filled cryptographic keys instead of proper ones, particularly when used in environments different from Node.js or test settings.
So pretty bad. 8.1 out of ten for setting your crypto keys to match the US nuclear arsenal in the 80s