CVE-2025-6545 — pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized o

Description

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.

How to fix CVE-2025-6545

To remediate CVE-2025-6545, upgrade the affected package to a fixed version below.

Debian/node-pbkdf2—no fix listed
npm/pbkdf2—upgrade to 3.1.3 or later

Is CVE-2025-6545 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 3.0.10, < 3.1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-6545
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-6545
PATCHgithub.com/browserify/pbkdf2
WEBgithub.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078