CVE-2025-6547
On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
23 Jun 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
Affected products
pbkdf2