9.1

CVSS Score

Basic Information

CVE ID

CVE-2025-6547

GHSA ID

GHSA-v62p-rq8g-8h59

EPSS Score

CWE

CWE-20

Published

6/23/2025

Updated

6/23/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-6547

CVE-2025-6547:
pbkdf2 Uint8Array Input Validation Static Key Generation Vulnerability

CVE-2025-6547 identifies a critical improper input validation vulnerability in the pbkdf2 npm package that enables attackers to exploit cryptographic key derivation weaknesses by causing the library to silently disregard Uint8Array input on historic Node.js versions, resulting in static predictable keys being generated instead of cryptographically secure outputs. This vulnerability affects pbkdf2 versions up to 3.1.2 when running on Node.js versions prior to 3.0.0, achieving a CVSS score of 9.1 (Critical severity) with EPSS percentile of 28.6 indicating extremely high exploit risk for legacy JavaScript applications and older Node.js environments utilizing pbkdf2 for cryptographic key derivation with Uint8Array input types. The vulnerability details reveal that inadequate type checking and conversion mechanisms in the toBuffer utility function cause Uint8Array inputs to be treated as empty strings during key derivation operations, enabling attackers to predict generated keys since they consistently produce the same static hash output equivalent to processing empty password and salt values, creating substantial exploit risk for applications relying on pbkdf2 for secure key generation in authentication systems, password storage, and cryptographic protocols. The root cause analysis reveals that the vulnerability stems from flawed type-checking implementation in the lib/to-buffer.js utility function where inadequate Uint8Array conversion handling causes cryptographic inputs to be processed as empty values during key derivation, classified as CWE-20 (Improper Input Validation). The vulnerability specifically affects pbkdf2 and pbkdf2Sync functions where the toBuffer utility fails to correctly convert Uint8Array inputs into proper Buffer objects on Node.js versions below 3.0.0, enabling attackers to exploit known exploited vulnerabilities targeting cryptographic key predictability to compromise applications that unknowingly generate static keys for sensitive operations including password hashing and authentication tokens. Mitigation steps require immediate upgrading to pbkdf2 version 3.1.3 or later which implements proper Uint8Array handling through external to-buffer dependency that correctly processes typed array inputs, followed by comprehensive security audits to identify and regenerate any compromised keys that may have been generated using Uint8Array inputs on affected Node.js versions. Organizations should prioritize identifying JavaScript applications using vulnerable pbkdf2 versions on legacy Node.js environments, audit all previously generated cryptographic keys for potential static key compromise especially those using Uint8Array input formats, implement strict input type validation before key derivation operations, consider migrating from legacy Node.js versions to modern runtime environments with proper typed array support, and maintain updated vulnerability database records to track similar cryptographic input validation vulnerabilities that could compromise application security through predictable key generation and broader security implications for legacy JavaScript environments with insufficient type handling controls in cryptographic libraries.

(GitHub Advisory)

9.1

CVSS Score

Basic Information

CVE ID

CVE-2025-6547

GHSA ID

GHSA-v62p-rq8g-8h59

EPSS Score

CWE

CWE-20

Published

6/23/2025

Updated

6/23/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pbkdf2	npm	<= 3.1.2	3.1.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the pbkdf2 npm package and affects applications running on Node.js versions older than 3.0.0. The core of the issue lies in the improper handling of Uint8Array data types for passwords and salts.

The root cause is a flawed type-checking and conversion mechanism within an internal utility function located in lib/to-buffer.js. In vulnerable versions, this function fails to correctly convert Uint8Array inputs into Buffers, causing them to be treated as empty. This flaw was fixed in commit e3102a8cd4830a3ac85cd0dd011cc002fdde33bb by introducing an external dependency, to-buffer, which correctly handles these types.

The user-facing functions, pbkdf2 (asynchronous) and pbkdf2Sync (synchronous), are the entry points for this vulnerability. When developers use these functions with Uint8Array inputs on an affected Node.js version, the toBuffer utility's failure leads to the cryptographic operations being performed on empty strings. This results in the generation of a static, predictable key, which completely undermines the security of the key derivation process.

Therefore, a security engineer should be aware that any part of their system using the pbkdf2 library's pbkdf2 or pbkdf2Sync functions on an outdated Node.js runtime is at risk. Exploitation would result in weak, predictable cryptographic keys being used, which could lead to a total compromise of the data or systems protected by these keys. The fix is to update the pbkdf2 package to version 3.1.3 or later.

Vulnerable functions

toBuffer

lib/to-buffer.js

This is an anonymous function exported by `lib/to-buffer.js`. In vulnerable versions, this function was responsible for converting different input types into a Buffer. The logic to handle `Uint8Array` was flawed on older Node.js versions (< 3.0.0). The check `ArrayBuffer.isView(thing)` and the subsequent conversion `Buffer.from(thing.buffer)` did not work as expected for `Uint8Array` inputs, causing them to be treated as empty. This led to the generation of static keys. The patch replaces this faulty logic with the `to-buffer` library, which correctly handles `Uint8Array`.

pbkdf2Sync

lib/sync.js

This is a primary synchronous function exposed by the `pbkdf2` library. It utilizes the vulnerable `toBuffer` function to process password and salt inputs. When a `Uint8Array` is provided as input on an affected Node.js version, `pbkdf2Sync` receives an empty buffer from `toBuffer`. Consequently, it computes a predictable, static key based on empty inputs, rather than the actual data provided by the user.

pbkdf2

lib/async.js

This is the asynchronous version of the key derivation function in the library. Similar to `pbkdf2Sync`, it uses the flawed `toBuffer` function to handle inputs. As a result, it is also susceptible to the vulnerability where `Uint8Array` inputs are disregarded on older Node.js versions, leading to the generation of insecure, static keys.

WAF Protection Rules

WAF Rule

### Summ*ry On *istori* *ut ***l*r** *s support** No**.js v*rsions (*.**-*.x), p*k*** sil*ntly *isr***r*s Uint**rr*y input T*is only *****ts No**.js <*.*.*, *ut `p*k***` *l*ims to: * Support No**.js [>= *.**](*ttps://*it*u*.*om/*rows*ri*y/p*k***/*

Reasoning

T** vuln*r**ility *xists in t** `p*k***` npm p**k*** *n* *****ts *ppli**tions runnin* on No**.js v*rsions ol**r t**n *.*.*. T** *or* o* t** issu* li*s in t** improp*r **n*lin* o* `Uint**rr*y` **t* typ*s *or p*sswor*s *n* s*lts. T** root **us* is * *

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-6547: pbkdf2 Uint8Array Input Validation Static Key Generation Vulnerability

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-6547:
pbkdf2 Uint8Array Input Validation Static Key Generation Vulnerability

Vulnerability Intelligence
Miggo AI