CVE-2025-54885: The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended

The vulnerability is a classic case of insufficient entropy due to a programming error in the thinbus-srp-npm Javascript library. The core of the issue lies in the SRP6JavascriptClientSession.randomA function, which is responsible for generating the client's private ephemeral key, a. According to RFC 5054, this key should have at least 256 bits of entropy.

The vulnerable code attempted to determine the required entropy from the length of the safe prime N. However, a bug caused the N accessor function to be passed to the length calculation logic instead of the actual prime value. When toHex(N) was called, N.toString() was invoked on the function object, yielding its source code as a string. The length of this static string was then used to seed the random number generator, resulting in a fixed and insufficient entropy of 252 bits, which is below the recommended 256 bits and significantly less than the intended 2048 bits.

The patch addressed this by changing N and g from accessor functions to properties that hold the BigInteger values directly. Consequently, the randomA function was modified to access this.N as a property, ensuring that the length calculation is performed on the actual prime number, thus restoring the intended entropy. The function generateA which calls randomA would be the primary indicator in a runtime profile during an exploitation attempt.