Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-6545 (GCVE-0-2025-6545)
Vulnerability from cvelistv5
Published
2025-06-23 18:41
Modified
2025-06-23 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6545",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T19:26:28.859577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T19:26:40.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://npmjs.com/pbkdf2",
"defaultStatus": "unaffected",
"packageName": "pbkdf2",
"programFiles": [
"lib/to-buffer.js"
],
"repo": "https://github.com/browserify/pbkdf2",
"versions": [
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "3.0.10",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/to-buffer.Js\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects pbkdf2: from 3.0.10 through 3.1.2.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.\n\nThis issue affects pbkdf2: from 3.0.10 through 3.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-475",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-475 Signature Spoofing by Improper Validation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T18:44:04.897Z",
"orgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"shortName": "harborist"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6"
},
{
"tags": [
"x_introduced-by"
],
"url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078"
},
{
"tags": [
"patch"
],
"url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"assignerShortName": "harborist",
"cveId": "CVE-2025-6545",
"datePublished": "2025-06-23T18:41:18.771Z",
"dateReserved": "2025-06-23T18:39:39.611Z",
"dateUpdated": "2025-06-23T19:26:40.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-6545\",\"sourceIdentifier\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"published\":\"2025-06-23T19:15:25.220\",\"lastModified\":\"2025-06-23T20:16:21.633\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.\\n\\nThis issue affects pbkdf2: from 3.0.10 through 3.1.2.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de validaci\u00f3n de entrada incorrecta en pbkdf2 permite la suplantaci\u00f3n de firma mediante validaci\u00f3n incorrecta. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/to-buffer.Js. Este problema afecta a pbkdf2 desde la versi\u00f3n 3.0.10 hasta la 3.1.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"},{\"url\":\"https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"},{\"url\":\"https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-6545\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-23T19:26:28.859577Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-23T19:26:33.879Z\"}}], \"cna\": {\"title\": \"pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-475\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-475 Signature Spoofing by Improper Validation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/browserify/pbkdf2\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.1.2\"}], \"packageName\": \"pbkdf2\", \"programFiles\": [\"lib/to-buffer.js\"], \"collectionURL\": \"https://npmjs.com/pbkdf2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078\", \"tags\": [\"x_introduced-by\"]}, {\"url\": \"https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.\\n\\nThis issue affects pbkdf2: from 3.0.10 through 3.1.2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/to-buffer.Js\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects pbkdf2: from 3.0.10 through 3.1.2.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"7ffcee3d-2c14-4c3e-b844-86c6a321a158\", \"shortName\": \"harborist\", \"dateUpdated\": \"2025-06-23T18:44:04.897Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-6545\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-23T19:26:40.223Z\", \"dateReserved\": \"2025-06-23T18:39:39.611Z\", \"assignerOrgId\": \"7ffcee3d-2c14-4c3e-b844-86c6a321a158\", \"datePublished\": \"2025-06-23T18:41:18.771Z\", \"assignerShortName\": \"harborist\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
opensuse-su-2025:15280-1
Vulnerability from csaf_opensuse
Published
2025-07-03 00:00
Modified
2025-07-03 00:00
Summary
python311-pytest-html-4.1.1-6.1 on GA media
Notes
Title of the patch
python311-pytest-html-4.1.1-6.1 on GA media
Description of the patch
These are all security issues fixed in the python311-pytest-html-4.1.1-6.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15280
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-pytest-html-4.1.1-6.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-pytest-html-4.1.1-6.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15280",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15280-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-5889 page",
"url": "https://www.suse.com/security/cve/CVE-2025-5889/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-6545 page",
"url": "https://www.suse.com/security/cve/CVE-2025-6545/"
}
],
"title": "python311-pytest-html-4.1.1-6.1 on GA media",
"tracking": {
"current_release_date": "2025-07-03T00:00:00Z",
"generator": {
"date": "2025-07-03T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15280-1",
"initial_release_date": "2025-07-03T00:00:00Z",
"revision_history": [
{
"date": "2025-07-03T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-pytest-html-4.1.1-6.1.aarch64",
"product": {
"name": "python311-pytest-html-4.1.1-6.1.aarch64",
"product_id": "python311-pytest-html-4.1.1-6.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-pytest-html-4.1.1-6.1.aarch64",
"product": {
"name": "python312-pytest-html-4.1.1-6.1.aarch64",
"product_id": "python312-pytest-html-4.1.1-6.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-pytest-html-4.1.1-6.1.aarch64",
"product": {
"name": "python313-pytest-html-4.1.1-6.1.aarch64",
"product_id": "python313-pytest-html-4.1.1-6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-pytest-html-4.1.1-6.1.ppc64le",
"product": {
"name": "python311-pytest-html-4.1.1-6.1.ppc64le",
"product_id": "python311-pytest-html-4.1.1-6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-pytest-html-4.1.1-6.1.ppc64le",
"product": {
"name": "python312-pytest-html-4.1.1-6.1.ppc64le",
"product_id": "python312-pytest-html-4.1.1-6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-pytest-html-4.1.1-6.1.ppc64le",
"product": {
"name": "python313-pytest-html-4.1.1-6.1.ppc64le",
"product_id": "python313-pytest-html-4.1.1-6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-pytest-html-4.1.1-6.1.s390x",
"product": {
"name": "python311-pytest-html-4.1.1-6.1.s390x",
"product_id": "python311-pytest-html-4.1.1-6.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-pytest-html-4.1.1-6.1.s390x",
"product": {
"name": "python312-pytest-html-4.1.1-6.1.s390x",
"product_id": "python312-pytest-html-4.1.1-6.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-pytest-html-4.1.1-6.1.s390x",
"product": {
"name": "python313-pytest-html-4.1.1-6.1.s390x",
"product_id": "python313-pytest-html-4.1.1-6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-pytest-html-4.1.1-6.1.x86_64",
"product": {
"name": "python311-pytest-html-4.1.1-6.1.x86_64",
"product_id": "python311-pytest-html-4.1.1-6.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-pytest-html-4.1.1-6.1.x86_64",
"product": {
"name": "python312-pytest-html-4.1.1-6.1.x86_64",
"product_id": "python312-pytest-html-4.1.1-6.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-pytest-html-4.1.1-6.1.x86_64",
"product": {
"name": "python313-pytest-html-4.1.1-6.1.x86_64",
"product_id": "python313-pytest-html-4.1.1-6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pytest-html-4.1.1-6.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64"
},
"product_reference": "python311-pytest-html-4.1.1-6.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pytest-html-4.1.1-6.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le"
},
"product_reference": "python311-pytest-html-4.1.1-6.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pytest-html-4.1.1-6.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x"
},
"product_reference": "python311-pytest-html-4.1.1-6.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-pytest-html-4.1.1-6.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64"
},
"product_reference": "python311-pytest-html-4.1.1-6.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-pytest-html-4.1.1-6.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64"
},
"product_reference": "python312-pytest-html-4.1.1-6.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-pytest-html-4.1.1-6.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le"
},
"product_reference": "python312-pytest-html-4.1.1-6.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-pytest-html-4.1.1-6.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x"
},
"product_reference": "python312-pytest-html-4.1.1-6.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-pytest-html-4.1.1-6.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64"
},
"product_reference": "python312-pytest-html-4.1.1-6.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pytest-html-4.1.1-6.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64"
},
"product_reference": "python313-pytest-html-4.1.1-6.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pytest-html-4.1.1-6.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le"
},
"product_reference": "python313-pytest-html-4.1.1-6.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pytest-html-4.1.1-6.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x"
},
"product_reference": "python313-pytest-html-4.1.1-6.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-pytest-html-4.1.1-6.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
},
"product_reference": "python313-pytest-html-4.1.1-6.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5889",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-5889"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-5889",
"url": "https://www.suse.com/security/cve/CVE-2025-5889"
},
{
"category": "external",
"summary": "SUSE Bug 1244340 for CVE-2025-5889",
"url": "https://bugzilla.suse.com/1244340"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-5889"
},
{
"cve": "CVE-2025-6545",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-6545"
}
],
"notes": [
{
"category": "general",
"text": "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.\n\nThis issue affects pbkdf2: from 3.0.10 through 3.1.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-6545",
"url": "https://www.suse.com/security/cve/CVE-2025-6545"
},
{
"category": "external",
"summary": "SUSE Bug 1245273 for CVE-2025-6545",
"url": "https://bugzilla.suse.com/1245273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python311-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python312-pytest-html-4.1.1-6.1.x86_64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.aarch64",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.ppc64le",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.s390x",
"openSUSE Tumbleweed:python313-pytest-html-4.1.1-6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-6545"
}
]
}
rhsa-2025:10738
Vulnerability from csaf_redhat
Published
2025-07-09 15:20
Modified
2025-08-19 15:18
Summary
Red Hat Security Advisory: Kiali 2.4.7 for Red Hat OpenShift Service Mesh 3.0
Notes
Topic
Kiali 2.4.7 for Red Hat OpenShift Service Mesh 3.0
This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section
Details
Kiali 2.4.7, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently
Security Fix(es):
* openshift-service-mesh/kiali-ossmc-rhel9: pbkdf2 silently returns predictable key material (CVE-2025-6545) * openshift-service-mesh/kiali-ossmc-rhel9: pbkdf2 silently returns static keys (CVE-2025-6547)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.4.7 for Red Hat OpenShift Service Mesh 3.0\nThis update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.4.7, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently\nSecurity Fix(es):\n* openshift-service-mesh/kiali-ossmc-rhel9: pbkdf2 silently returns predictable key material (CVE-2025-6545) * openshift-service-mesh/kiali-ossmc-rhel9: pbkdf2 silently returns static keys (CVE-2025-6547)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10738",
"url": "https://access.redhat.com/errata/RHSA-2025:10738"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6545",
"url": "https://access.redhat.com/security/cve/CVE-2025-6545"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6547",
"url": "https://access.redhat.com/security/cve/CVE-2025-6547"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10738.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.4.7 for Red Hat OpenShift Service Mesh 3.0",
"tracking": {
"current_release_date": "2025-08-19T15:18:22+00:00",
"generator": {
"date": "2025-08-19T15:18:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:10738",
"initial_release_date": "2025-07-09T15:20:25+00:00",
"revision_history": [
{
"date": "2025-07-09T15:20:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-09T15:20:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-19T15:18:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.0",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549742"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-operator-bundle@sha256%3A86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=9.4-1751554068"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751438375"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ab6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549390"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ad22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549742"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Aeb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751438375"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549390"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549742"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751438375"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ae344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549390"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549742"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Aa8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751438375"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=2.4.7-1751549390"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-6545",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2025-06-23T19:00:51.575615+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374370"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security guarantees of the package.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pbkdf2: pbkdf2 silently returns predictable key material",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated important because it causes the pbkdf2 module to quietly return weak or zero-filled keys when certain algorithm names are used incorrectly in browsers or bundled code, this causes the function to silently return a predictable value (such as a zero-filled buffer or uninitialized memory) instead of a securely derived key, completely undermining the confidentiality and integrity of any cryptographic operation where attackers could guess or reuse these keys to access or change protected data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6545"
},
{
"category": "external",
"summary": "RHBZ#2374370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078",
"url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb",
"url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6",
"url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6"
}
],
"release_date": "2025-06-23T18:41:18.771000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-09T15:20:25+00:00",
"details": "See Kiali 2.4.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10738"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pbkdf2: pbkdf2 silently returns predictable key material"
},
{
"cve": "CVE-2025-6547",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2025-06-23T20:01:13.559691+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374378"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm pbkdf2 library, allowing signature spoofing. Under specific use cases, pbkdf2 may return static keys. This issue only occurs when running the library on Node.js.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pbkdf2: pbkdf2 silently returns static keys",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as an Important severity because a logic flaw was found in the npm pbkdf2 library where the vulnerability, located in the toBuffer method, causes password and salt inputs provided as Uint8Array objects to be silently ignored. This results in the function returning a static, predictable key derived from empty inputs, completely undermining the security guarantees of any feature that relies on the generated key, this allows an attacker to forge signatures, leading to a complete compromise of the application\u0027s data confidentiality, integrity, and availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6547"
},
{
"category": "external",
"summary": "RHBZ#2374378",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374378"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6547",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6547"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6547",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6547"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb",
"url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-v62p-rq8g-8h59",
"url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-v62p-rq8g-8h59"
}
],
"release_date": "2025-06-23T19:00:45.472000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-09T15:20:25+00:00",
"details": "See Kiali 2.4.7 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10738"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:86eecafcc67decea003dea06852c210885b67196ff59a617cb5036f0d2bed37e_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:14dd5a2f47a4f8d6002c3dad016ed2a38152a6620791434e6c984a792e71ba1c_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:42de033cb085879e97b82ac80ba5df78f568e9bd1c16dd3ce8a962c90954dc2f_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:b6b9606667f2b9577fa32952ceb99eae5ddca422e6752ebee17db9b83f375365_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e344632439c338ef64c568d8031db9c95928cb97708b0cad9cfdbe584748d1da_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:284b003614b2523a5078eaeda51502dc84d0f1de6b1e7eac78bee2663b38fbdc_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:4e14fb285eb5db7aba0b5af906eee76e204bc8f6bdce39cf62681252dd8974c6_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a8a4b880e0dd172019888a7e26d14d23b6f155a3d4f576561ddcb5778bbe1e67_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:eb3134b269571b504b33437f464058ae0993d88e7d043f2cfb0a8f4d69ec8edc_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0da2382a21654cb2d53be2eab65ac2ad9a43b98153702b77d74d48eccd4f72b8_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2055c60709600b67eab9a70a4ec437f065f85247fa5955466b8c0370962093d1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:8a92df3d16b2c5b865567a8cd9663b0c41c46f2aef6b62e412da7bb0b963339f_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d22c1524e11d770dac4108b403b035fc74746b83b10cb68eed480ce6d5334503_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pbkdf2: pbkdf2 silently returns static keys"
}
]
}
rhsa-2025:14090
Vulnerability from csaf_redhat
Published
2025-08-19 11:33
Modified
2025-08-20 16:29
Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.7.0 release.
Notes
Topic
Red Hat Developer Hub 1.7.0 has been released.
Details
Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.7.0 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14090",
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-22870",
"url": "https://access.redhat.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-32996",
"url": "https://access.redhat.com/security/cve/CVE-2025-32996"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-32997",
"url": "https://access.redhat.com/security/cve/CVE-2025-32997"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-48387",
"url": "https://access.redhat.com/security/cve/CVE-2025-48387"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-48997",
"url": "https://access.redhat.com/security/cve/CVE-2025-48997"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-5417",
"url": "https://access.redhat.com/security/cve/CVE-2025-5417"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-54419",
"url": "https://access.redhat.com/security/cve/CVE-2025-54419"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6545",
"url": "https://access.redhat.com/security/cve/CVE-2025-6545"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-7338",
"url": "https://access.redhat.com/security/cve/CVE-2025-7338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHIDP-6469",
"url": "https://issues.redhat.com/browse/RHIDP-6469"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHIDP-6470",
"url": "https://issues.redhat.com/browse/RHIDP-6470"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHIDP-6937",
"url": "https://issues.redhat.com/browse/RHIDP-6937"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14090.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.7.0 release.",
"tracking": {
"current_release_date": "2025-08-20T16:29:04+00:00",
"generator": {
"date": "2025-08-20T16:29:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:14090",
"initial_release_date": "2025-08-19T11:33:06+00:00",
"revision_history": [
{
"date": "2025-08-19T11:33:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-19T11:33:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-20T16:29:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.7",
"product": {
"name": "Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.7::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Aaa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.0-1754936470"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.0-1754935808"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3A7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.0-1754942441"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64 as a component of Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64 as a component of Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64 as a component of Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5417",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2025-05-31T22:35:41+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2369602"
}
],
"notes": [
{
"category": "description",
"text": "An insufficient access control vulnerability was found in the Red Hat\nDeveloper Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the\nrhdh/rhdh-hub-rhel9 container image and modify the image\u0027s content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rhdh: Red Hat Developer Hub user permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Developer Hub 1.6 is not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5417"
},
{
"category": "external",
"summary": "RHBZ#2369602",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369602"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5417",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5417"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5417",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5417"
}
],
"release_date": "2025-08-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Red Hat Developer Hub 1.5 contains mitigation guidelines present at https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.5/html/configuring_red_hat_developer_hub/readonlyrootfilesystem",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rhdh: Red Hat Developer Hub user permissions"
},
{
"cve": "CVE-2025-6545",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2025-06-23T19:00:51.575615+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374370"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security guarantees of the package.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pbkdf2: pbkdf2 silently returns predictable key material",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated important because it causes the pbkdf2 module to quietly return weak or zero-filled keys when certain algorithm names are used incorrectly in browsers or bundled code, this causes the function to silently return a predictable value (such as a zero-filled buffer or uninitialized memory) instead of a securely derived key, completely undermining the confidentiality and integrity of any cryptographic operation where attackers could guess or reuse these keys to access or change protected data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6545"
},
{
"category": "external",
"summary": "RHBZ#2374370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078",
"url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb",
"url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
},
{
"category": "external",
"summary": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6",
"url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6"
}
],
"release_date": "2025-06-23T18:41:18.771000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pbkdf2: pbkdf2 silently returns predictable key material"
},
{
"cve": "CVE-2025-7338",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2025-07-17T16:00:55.704118+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2381726"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the Multer NPM library. This vulnerability allows an attacker to trigger a denial of service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, resulting in a process crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "multer: Multer Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-7338"
},
{
"category": "external",
"summary": "RHBZ#2381726",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2381726"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-7338",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7338"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b",
"url": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b"
},
{
"category": "external",
"summary": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p",
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"
}
],
"release_date": "2025-07-17T15:26:45.427000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "multer: Multer Denial of Service"
},
{
"cve": "CVE-2025-22870",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2025-03-12T19:00:59.178193+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2351766"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in proxy host matching. This vulnerability allows improper bypassing of proxy settings via manipulating an IPv6 zone ID, causing unintended matches against the NO_PROXY environment variable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections such as IPS/IDS and antimalware solutions help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22870"
},
{
"category": "external",
"summary": "RHBZ#2351766",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351766"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22870",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22870"
},
{
"category": "external",
"summary": "https://go.dev/cl/654697",
"url": "https://go.dev/cl/654697"
},
{
"category": "external",
"summary": "https://go.dev/issue/71984",
"url": "https://go.dev/issue/71984"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3503",
"url": "https://pkg.go.dev/vuln/GO-2025-3503"
}
],
"release_date": "2025-03-12T18:27:59.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
},
{
"cve": "CVE-2025-32996",
"cwe": {
"id": "CWE-670",
"name": "Always-Incorrect Control Flow Implementation"
},
"discovery_date": "2025-04-15T03:00:44.384011+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2359627"
}
],
"notes": [
{
"category": "description",
"text": "In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because \"else if\" is not used.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-proxy-middleware: Always-Incorrect Control Flow Implementation in http-proxy-middleware",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-32996"
},
{
"category": "external",
"summary": "RHBZ#2359627",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359627"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-32996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32996"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-32996",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32996"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145",
"url": "https://github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/pull/1089",
"url": "https://github.com/chimurai/http-proxy-middleware/pull/1089"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8",
"url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4",
"url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4"
}
],
"release_date": "2025-04-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-proxy-middleware: Always-Incorrect Control Flow Implementation in http-proxy-middleware"
},
{
"cve": "CVE-2025-32997",
"cwe": {
"id": "CWE-754",
"name": "Improper Check for Unusual or Exceptional Conditions"
},
"discovery_date": "2025-04-15T03:00:47.160071+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2359628"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in http-proxy-middleware. The issue occurs because the fixRequestBody function proceeds even when bodyParser has failed, which could lead to unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-proxy-middleware: Improper Check for Unusual or Exceptional Conditions in http-proxy-middleware",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-32997"
},
{
"category": "external",
"summary": "RHBZ#2359628",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359628"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-32997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32997"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-32997",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32997"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/commit/1bdccbeec243850f1d2bb50ea0ff2151e725d67e",
"url": "https://github.com/chimurai/http-proxy-middleware/commit/1bdccbeec243850f1d2bb50ea0ff2151e725d67e"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/pull/1096",
"url": "https://github.com/chimurai/http-proxy-middleware/pull/1096"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9",
"url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5",
"url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5"
}
],
"release_date": "2025-04-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-proxy-middleware: Improper Check for Unusual or Exceptional Conditions in http-proxy-middleware"
},
{
"cve": "CVE-2025-48387",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-02T20:00:45.526571+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2369875"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in tar-fs is Important not a moderate flaw, primarily due to its ability to bypass directory confinement during tarball extraction. The core issue\u2014path traversal via crafted archive entries\u2014allows attackers to write files outside the intended extraction directory, potentially overwriting system files, configuration files, or injecting malicious scripts into sensitive locations. Unlike moderate flaws that may require specific conditions or user interaction to exploit, this vulnerability can be triggered automatically in server-side environments that extract user-supplied tar files (e.g., CI/CD systems, deployment tools, or file upload handlers). Its exploitation could lead to remote code execution, privilege escalation, or denial of service, depending on the context.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48387"
},
{
"category": "external",
"summary": "RHBZ#2369875",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369875"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48387",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48387"
},
{
"category": "external",
"summary": "https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f",
"url": "https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f"
},
{
"category": "external",
"summary": "https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v",
"url": "https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v"
}
],
"release_date": "2025-06-02T19:20:18.220000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball"
},
{
"cve": "CVE-2025-48997",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2025-06-03T19:01:06.246004+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370084"
}
],
"notes": [
{
"category": "description",
"text": "An unhandled exception flaw was found in multer. This issue allows an attacker to trigger an application level denial of service by sending an upload file request with an empty string field name, which triggers an exception in processing that is not properly handled. This issue will lead to a program crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "multer: Multer vulnerable to Denial of Service via unhandled exception",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The denial of service impact is limited to the program that integrates multer. The host operating system is not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48997"
},
{
"category": "external",
"summary": "RHBZ#2370084",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370084"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48997"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48997",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48997"
},
{
"category": "external",
"summary": "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9",
"url": "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9"
},
{
"category": "external",
"summary": "https://github.com/expressjs/multer/issues/1233",
"url": "https://github.com/expressjs/multer/issues/1233"
},
{
"category": "external",
"summary": "https://github.com/expressjs/multer/pull/1256",
"url": "https://github.com/expressjs/multer/pull/1256"
},
{
"category": "external",
"summary": "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg",
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg"
}
],
"release_date": "2025-06-03T18:21:59.527000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "multer: Multer vulnerable to Denial of Service via unhandled exception"
},
{
"cve": "CVE-2025-54419",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2025-07-28T20:02:41.635540+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2384049"
}
],
"notes": [
{
"category": "description",
"text": "A signature verification flaw was found in the npm @node-saml/node-saml library. This flaw allows an attacker who has access to a validly signed document from the identity provider (IdP) to alter the content of the document, modify the details within the document, and have the modifications be accepted.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "@node-saml/node-saml: Node-SAML Signature Verification Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Important impact authn-bypass, not a Moderate bug, because it breaks the core trust boundary of SAML: the service provider (SP) makes authorization decisions based on an assertion it believes is protected by the IdP\u2019s XML signature. In @node-saml/node-saml \u22645.0.1, the library verifies the signature over one part of the response but then parses/uses fields from the original, unsigned document, a classic signature-wrapping/mismatch flaw. An attacker who possesses any validly signed SAML response (e.g., their own login, a captured response, or one from a lower-privileged account) can alter critical elements\u2014such as the Subject/NameID (e.g., drop a character to map to a different user), group/role attributes, AuthnContext, or Conditions\u2014without invalidating the signature, and the SP will accept the modified values. That enables account takeover, privilege escalation, MFA/step-up bypass (via AuthnContext changes), and policy circumvention across every SP relying on this library. The only prerequisite is access to a single signed response; no IdP compromise is required.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-54419"
},
{
"category": "external",
"summary": "RHBZ#2384049",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384049"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-54419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54419"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-54419",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54419"
},
{
"category": "external",
"summary": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10",
"url": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10"
},
{
"category": "external",
"summary": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0",
"url": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0"
},
{
"category": "external",
"summary": "https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3",
"url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3"
}
],
"release_date": "2025-07-28T19:47:46.584000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-19T11:33:06+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "@node-saml/node-saml: Node-SAML Signature Verification Vulnerability"
}
]
}
fkie_cve-2025-6545
Vulnerability from fkie_nvd
Published
2025-06-23 19:15
Modified
2025-06-23 20:16
Severity ?
Summary
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| 7ffcee3d-2c14-4c3e-b844-86c6a321a158 | https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078 | ||
| 7ffcee3d-2c14-4c3e-b844-86c6a321a158 | https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb | ||
| 7ffcee3d-2c14-4c3e-b844-86c6a321a158 | https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6 |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.\n\nThis issue affects pbkdf2: from 3.0.10 through 3.1.2."
},
{
"lang": "es",
"value": "La vulnerabilidad de validaci\u00f3n de entrada incorrecta en pbkdf2 permite la suplantaci\u00f3n de firma mediante validaci\u00f3n incorrecta. Esta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/to-buffer.Js. Este problema afecta a pbkdf2 desde la versi\u00f3n 3.0.10 hasta la 3.1.2."
}
],
"id": "CVE-2025-6545",
"lastModified": "2025-06-23T20:16:21.633",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"type": "Secondary"
}
]
},
"published": "2025-06-23T19:15:25.220",
"references": [
{
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078"
},
{
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
},
{
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6"
}
],
"sourceIdentifier": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"type": "Secondary"
}
]
}
wid-sec-w-2025-1409
Vulnerability from csaf_certbund
Published
2025-06-26 22:00
Modified
2025-06-26 22:00
Summary
IBM App Connect Enterprise: Mehrere Schwachstellen ermöglichen Manipulation von Daten
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um Daten zu manipulieren.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um Daten zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1409 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1409.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1409 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1409"
},
{
"category": "external",
"summary": "IBM Security Bulletin vom 2025-06-26",
"url": "https://www.ibm.com/support/pages/node/7238174"
}
],
"source_lang": "en-US",
"title": "IBM App Connect Enterprise: Mehrere Schwachstellen erm\u00f6glichen Manipulation von Daten",
"tracking": {
"current_release_date": "2025-06-26T22:00:00.000+00:00",
"generator": {
"date": "2025-06-27T09:56:40.354+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-1409",
"initial_release_date": "2025-06-26T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-06-26T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Certified Container Operator \u003c11.6.0",
"product": {
"name": "IBM App Connect Enterprise Certified Container Operator \u003c11.6.0",
"product_id": "T044885"
}
},
{
"category": "product_version",
"name": "Certified Container Operator 11.6.0",
"product": {
"name": "IBM App Connect Enterprise Certified Container Operator 11.6.0",
"product_id": "T044885-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:certified_container_operator__11.6.0"
}
}
}
],
"category": "product_name",
"name": "App Connect Enterprise"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-6545",
"product_status": {
"known_affected": [
"T044885"
]
},
"release_date": "2025-06-26T22:00:00.000+00:00",
"title": "CVE-2025-6545"
},
{
"cve": "CVE-2025-6547",
"product_status": {
"known_affected": [
"T044885"
]
},
"release_date": "2025-06-26T22:00:00.000+00:00",
"title": "CVE-2025-6547"
}
]
}
ghsa-h7cp-r72f-jxh6
Vulnerability from github
Published
2025-06-23 22:41
Modified
2025-06-27 23:38
Severity ?
VLAI Severity ?
Summary
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
Details
Summary
This affects both:
1. Unsupported algos (e.g. sha3-256 / sha3-512 / sha512-256)
2. Supported but non-normalized algos (e.g. Sha256 / Sha512 / SHA1 / sha-1 / sha-256 / sha-512)
All of those work correctly in Node.js, but this polyfill silently returns highly predictable ouput
Under Node.js (only with pbkdf2/browser import, unlikely) / Bun (pbkdf2 top-level import is affected), the memory is not zero-filled but is uninitialized, as Buffer.allocUnsafe is used
Under browsers, it just returns zero-filled buffers (Which is also critical, those are completely unacceptable as kdf output and ruin security)
Were you affected?
The full list of arguments that were not affected were literal:
* 'md5'
* 'sha1'
* 'sha224'
* 'sha256'
* 'sha384'
* 'sha512'
* 'rmd160'
* 'ripemd160'
Any other arguments, e.g. representation variations of the above ones like 'SHA-1'/'sha-256'/'SHA512' or different algos like 'sha3-512'/'blake2b512', while supported on Node.js crypto module, returned predictable output on pbkdf2 (or crypto browser/bundlers polyfill)
Beware of packages re-exporting this under a different signature, like (abstract):
js
const crypto = require('crypto')
module.exports.deriveKey = (algo, pass, salt) => crypto.pbkdf2Sync(pass, salt, 2048, 64, algo)
In this case, the resulting deriveKey method is also affected (to the same extent / conditions as listed here).
Environments
This affects require('crypto') in polyfilled mode (e.g. from crypto-browserify, node-libs-browser, vite-plugin-node-polyfills, node-stdlib-browser, etc. -- basically everything that bundles/polfyills crypto
- In bundled code (e.g. Webpack / Vite / whatever), this affects
require('crypto')andrequire('pbkdf2') - On Node.js, this does not affect
require('pbkdf2')(orrequire('crypto')obviously), but affectsrequire('pbkdf2/browser') - On Bun, this does affect
require('pbkdf2')andrequire('pbkdf2/browser')(and returns uninitialized memory, often zeros / sparse flipped bytes)
PoC
```js const node = require('crypto') const polyfill = require('pbkdf2/browser')
const algos = [
'sha3-512', 'sha3-256', 'SHA3-384',
'Sha256', 'Sha512', 'sha512-256',
'SHA1', 'sha-1',
'blake2b512',
'RMD160', 'RIPEMD-160', 'ripemd-160',
]
for (const algo of algos) {
for (const { pbkdf2Sync } of [node, polyfill]) {
const key = pbkdf2Sync('secret', 'salt', 100000, 64, algo)
console.log(${algo}: ${key.toString('hex')});
}
}
```
Output (odd lines are Node.js, even is pbkdf2 module / polyfill):
sha3-512: de00370414a3251d6d620dc8f7c371644e5d7f365ab23b116298a23fa4077b39deab802dd61714847a5c7e9981704ffe009aee5bb40f6f0103fc60f3d4cedfb0
sha3-512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
sha3-256: 76bf06909b91e4c968700078ee36af92019d0839ab1fea2f345c6c8685074ca0179302633fbd84d22cff4f8744952b2d07edbfc9658e95d30fb4e93ee067c7c9
sha3-256: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
SHA3-384: 2b2b41b73f9b7bcd023f709ea84ba3c29a88edc311b737856ba9e74a2d9a928f233eb8cb404a9ba93c276edf6380c692140024a0bc12b75bfa38626207915e01
SHA3-384: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Sha256: 3fa094211c0cf2ed1d332ab43adc69aab469f0e0f2cae6345c81bb874eef3f9eb2c629052ec272ca49c2ee95b33e7ba6377b2317cd0dacce92c4748d3c7a45f0
Sha256: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Sha512: 3745e482c6e0ade35da10139e797157f4a5da669dad7d5da88ef87e47471cc47ed941c7ad618e827304f083f8707f12b7cfdd5f489b782f10cc269e3c08d59ae
Sha512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
sha512-256: e423f61987413121418715d0ebf64cb646042ae9a09fe4fd2c764a4f186ba28cf70823fdc2b03dda67a0d977c6f0a0612e5ed74a11e6f32b033cb658fa9f270d
sha512-256: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
SHA1: 0e24bc5a548b236e3eb3b22317ef805664a88747c725cd35bfb0db0e4ae5539e3ed5cd5ba8c0ac018deb6518059788c8fffbe624f614fbbe62ba6a6e174e4a72
SHA1: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
sha-1: 0e24bc5a548b236e3eb3b22317ef805664a88747c725cd35bfb0db0e4ae5539e3ed5cd5ba8c0ac018deb6518059788c8fffbe624f614fbbe62ba6a6e174e4a72
sha-1: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
blake2b512: d3d661100c5ffb79bdf3b5c77d1698e621414cba40e2348bd3f1b10fbd2fe97bff4dc7d76474955bfefa61179f2a37e9dddedced0e7e79ef9d8c678080d45926
blake2b512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RMD160: ec65dbad1485616cf0426725d64e009ad3e1633543746ccb56b7f06eb7ce51d0249aaef27c879f32911a7c0accdc83389c2948ddec439114f6165366f9b4cca2
RMD160: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
RIPEMD-160: ec65dbad1485616cf0426725d64e009ad3e1633543746ccb56b7f06eb7ce51d0249aaef27c879f32911a7c0accdc83389c2948ddec439114f6165366f9b4cca2
RIPEMD-160: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
ripemd-160: ec65dbad1485616cf0426725d64e009ad3e1633543746ccb56b7f06eb7ce51d0249aaef27c879f32911a7c0accdc83389c2948ddec439114f6165366f9b4cca2
ripemd-160: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Uninitialized memory
```js const { pbkdf2Sync } = require('pbkdf2/browser') // or just 'pbkdf2' on Bun will do this too
let prev for (let i = 0; i < 100000; i++) { const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha3-256') const hex = key.toString('hex') if (hex !== prev) console.log(hex); prev = hex } ```
Affected versions
Seems to be since https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078
Impact
This is critical, browserifying code might silently generate zero-filled keys instead of proper ones, for code that was working on Node.js or in test environment
Just updating to a fixed version is not enough: if anyone was using pbkdf2 lib (e.g. via crypto-browserify or directly) on algos not from the literal string list (see "were you affected"), recheck where those keys went / how they were used, and take action accordingly
Note
Most likely, you receive this either through a subdep using pbkdf2 module directly (and then it is used), or through crypto-browserify (and the usage depends on whether you or any of your subdeps were calling pbkdf2/pbkdf2Sync methods from Node.js crypto inside your bundle)
When targeting non-Node.js, prever avoiding Node.js crypto polyfill at all, and use crypto.subtle and/or modern/audited cryptography primitives instead
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.2"
},
"package": {
"ecosystem": "npm",
"name": "pbkdf2"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.10"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6545"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-23T22:41:50Z",
"nvd_published_at": "2025-06-23T19:15:25Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nThis affects both:\n 1. Unsupported algos (e.g. `sha3-256` / `sha3-512` / `sha512-256`)\n 2. Supported but non-normalized algos (e.g. `Sha256` / `Sha512` / `SHA1` / `sha-1` / `sha-256` / `sha-512`)\n\nAll of those work correctly in Node.js, but this polyfill silently returns highly predictable ouput\n\nUnder Node.js (only with `pbkdf2/browser` import, unlikely) / Bun (`pbkdf2` top-level import is affected), the memory is not zero-filled but is uninitialized, as `Buffer.allocUnsafe` is used\n\nUnder browsers, it just returns zero-filled buffers\n(Which is also critical, those are completely unacceptable as kdf output and ruin security)\n\n### Were you affected?\n\nThe full list of arguments that were **not** affected were literal:\n * `\u0027md5\u0027`\n * `\u0027sha1\u0027`\n * `\u0027sha224\u0027`\n * `\u0027sha256\u0027`\n * `\u0027sha384\u0027`\n * `\u0027sha512\u0027`\n * `\u0027rmd160\u0027`\n * `\u0027ripemd160\u0027`\n\nAny other arguments, e.g. representation variations of the above ones like `\u0027SHA-1\u0027`/`\u0027sha-256\u0027`/`\u0027SHA512\u0027` or different algos like `\u0027sha3-512\u0027`/`\u0027blake2b512\u0027`, while supported on Node.js `crypto` module, returned predictable output on `pbkdf2` (or `crypto` browser/bundlers polyfill)\n\n---\n\nBeware of packages re-exporting this under a different signature, like (abstract):\n```js\nconst crypto = require(\u0027crypto\u0027)\nmodule.exports.deriveKey = (algo, pass, salt) =\u003e crypto.pbkdf2Sync(pass, salt, 2048, 64, algo)\n```\n\nIn this case, the resulting `deriveKey` method is also affected (to the same extent / conditions as listed here).\n\n### Environments\n\nThis affects `require(\u0027crypto\u0027)` in polyfilled mode (e.g. from `crypto-browserify`, `node-libs-browser`, `vite-plugin-node-polyfills`, `node-stdlib-browser`, etc. -- basically everything that bundles/polfyills `crypto`\n\n* In bundled code (e.g. Webpack / Vite / whatever), this affects `require(\u0027crypto\u0027)` and `require(\u0027pbkdf2\u0027)`\n* On Node.js, this does not affect `require(\u0027pbkdf2\u0027)` (or `require(\u0027crypto\u0027)` obviously), but affects `require(\u0027pbkdf2/browser\u0027)`\n* On Bun, this _does_ affect `require(\u0027pbkdf2\u0027)` _and_ `require(\u0027pbkdf2/browser\u0027)` (and returns uninitialized memory, often zeros / sparse flipped bytes)\n\n### PoC\n```js\nconst node = require(\u0027crypto\u0027)\nconst polyfill = require(\u0027pbkdf2/browser\u0027)\n\nconst algos = [\n \u0027sha3-512\u0027, \u0027sha3-256\u0027, \u0027SHA3-384\u0027,\n \u0027Sha256\u0027, \u0027Sha512\u0027, \u0027sha512-256\u0027,\n \u0027SHA1\u0027, \u0027sha-1\u0027,\n \u0027blake2b512\u0027,\n \u0027RMD160\u0027, \u0027RIPEMD-160\u0027, \u0027ripemd-160\u0027,\n]\nfor (const algo of algos) {\n for (const { pbkdf2Sync } of [node, polyfill]) {\n const key = pbkdf2Sync(\u0027secret\u0027, \u0027salt\u0027, 100000, 64, algo)\n console.log(`${algo}: ${key.toString(\u0027hex\u0027)}`);\n }\n}\n```\n\nOutput (odd lines are Node.js, even is `pbkdf2` module / polyfill):\n```\nsha3-512: de00370414a3251d6d620dc8f7c371644e5d7f365ab23b116298a23fa4077b39deab802dd61714847a5c7e9981704ffe009aee5bb40f6f0103fc60f3d4cedfb0\nsha3-512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nsha3-256: 76bf06909b91e4c968700078ee36af92019d0839ab1fea2f345c6c8685074ca0179302633fbd84d22cff4f8744952b2d07edbfc9658e95d30fb4e93ee067c7c9\nsha3-256: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nSHA3-384: 2b2b41b73f9b7bcd023f709ea84ba3c29a88edc311b737856ba9e74a2d9a928f233eb8cb404a9ba93c276edf6380c692140024a0bc12b75bfa38626207915e01\nSHA3-384: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nSha256: 3fa094211c0cf2ed1d332ab43adc69aab469f0e0f2cae6345c81bb874eef3f9eb2c629052ec272ca49c2ee95b33e7ba6377b2317cd0dacce92c4748d3c7a45f0\nSha256: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nSha512: 3745e482c6e0ade35da10139e797157f4a5da669dad7d5da88ef87e47471cc47ed941c7ad618e827304f083f8707f12b7cfdd5f489b782f10cc269e3c08d59ae\nSha512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nsha512-256: e423f61987413121418715d0ebf64cb646042ae9a09fe4fd2c764a4f186ba28cf70823fdc2b03dda67a0d977c6f0a0612e5ed74a11e6f32b033cb658fa9f270d\nsha512-256: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nSHA1: 0e24bc5a548b236e3eb3b22317ef805664a88747c725cd35bfb0db0e4ae5539e3ed5cd5ba8c0ac018deb6518059788c8fffbe624f614fbbe62ba6a6e174e4a72\nSHA1: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nsha-1: 0e24bc5a548b236e3eb3b22317ef805664a88747c725cd35bfb0db0e4ae5539e3ed5cd5ba8c0ac018deb6518059788c8fffbe624f614fbbe62ba6a6e174e4a72\nsha-1: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nblake2b512: d3d661100c5ffb79bdf3b5c77d1698e621414cba40e2348bd3f1b10fbd2fe97bff4dc7d76474955bfefa61179f2a37e9dddedced0e7e79ef9d8c678080d45926\nblake2b512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nRMD160: ec65dbad1485616cf0426725d64e009ad3e1633543746ccb56b7f06eb7ce51d0249aaef27c879f32911a7c0accdc83389c2948ddec439114f6165366f9b4cca2\nRMD160: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nRIPEMD-160: ec65dbad1485616cf0426725d64e009ad3e1633543746ccb56b7f06eb7ce51d0249aaef27c879f32911a7c0accdc83389c2948ddec439114f6165366f9b4cca2\nRIPEMD-160: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\nripemd-160: ec65dbad1485616cf0426725d64e009ad3e1633543746ccb56b7f06eb7ce51d0249aaef27c879f32911a7c0accdc83389c2948ddec439114f6165366f9b4cca2\nripemd-160: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n```\n\n#### Uninitialized memory\n\n```js\nconst { pbkdf2Sync } = require(\u0027pbkdf2/browser\u0027) // or just \u0027pbkdf2\u0027 on Bun will do this too\n\nlet prev\nfor (let i = 0; i \u003c 100000; i++) {\n const key = pbkdf2Sync(\u0027secret\u0027, \u0027salt\u0027, 100000, 64, \u0027sha3-256\u0027)\n const hex = key.toString(\u0027hex\u0027)\n if (hex !== prev) console.log(hex);\n prev = hex\n}\n```\n\n### Affected versions\n\nSeems to be since https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078\n\n### Impact\n\nThis is critical, browserifying code might silently generate zero-filled keys instead of proper ones, for code that was working on Node.js or in test environment\n\nJust updating to a fixed version is not enough: if anyone was using `pbkdf2` lib (e.g. via `crypto-browserify` or directly) on algos not from the literal string list (see \"were you affected\"), recheck where those keys went / how they were used, and take action accordingly\n\n### Note\n\nMost likely, you receive this either through a subdep using `pbkdf2` module directly (and then it is used), or through `crypto-browserify` (and the usage depends on whether you or any of your subdeps were calling `pbkdf2/pbkdf2Sync` methods from Node.js crypto inside your bundle)\n\nWhen targeting non-Node.js, prever avoiding Node.js crypto polyfill at all, and use `crypto.subtle` and/or modern/audited cryptography primitives instead",
"id": "GHSA-h7cp-r72f-jxh6",
"modified": "2025-06-27T23:38:36Z",
"published": "2025-06-23T22:41:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545"
},
{
"type": "WEB",
"url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078"
},
{
"type": "WEB",
"url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
},
{
"type": "PACKAGE",
"url": "https://github.com/browserify/pbkdf2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…