Critical Key Derivation Flaws in pbkdf2 Affect Millions of JavaScript Projects, PoC Available
11mon 28d ago by sh.itjust.works/u/kid in cybersecurity@sh.itjust.works from securityonline.info
Summary copy pasta
A critical vulnerability in the pbkdf2 library affecting versions 3.0.10 through 3.1.2. The vulnerability involves improper input validation that can cause browserifying code to silently generate zero-filled cryptographic keys instead of proper ones, particularly when used in environments different from Node.js or test settings.
So pretty bad. 8.1 out of ten for setting your crypto keys to match the US nuclear arsenal in the 80s
Paywalled.
Sorry. It was not paywalled for me when I first saw. More info from different source: https://feedly.com/cve/CVE-2025-6545