CVE-2025-6547

Publication date 23 June 2025

Last updated 19 June 2026

Ubuntu priority

Description

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
node-pbkdf2	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected

Notes

mrmajumder

Only issue with historic Node.js versions <3.0.0, therefore bionic and above releases are not affected, since they contain Node.js versions >= 8.10.0.

Severity score breakdown

CVSS version: CVSS v4.0

Base score 9.1 · Critical

Base metrics

Parameter	Value
Attack vector	Network
Attack complexity	High
Attack requirements	Present
Privileges required	None
User interaction	None
Vulnerable system - Confidentiality impact	None
Vulnerable system - Integrity impact	High
Vulnerable system - Availability impact	None
Subsequent system - Confidentiality impact	High
Subsequent system - Integrity impact	High
Subsequent system - Availability impact	High

Scores

Parameter	Value
Base score	9.1 · Critical
Base + Threat score	-
Base + Environmental score	-
Base + Threat + Environmental score	-

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CVE-2025-6547

Description

Status

Notes

mrmajumder

Severity score breakdown

References

Other references

Access our resources on patching vulnerabilities