pbkdf2@0.0.5 vulnerabilities

This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()

  • latest version

    3.1.3

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    10 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the pbkdf2 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Generation of Predictable Numbers or Identifiers

    Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the toBuffer function. An attacker can predict cryptographic keys that were generated using Uint8Array inputs on affected Node.js versions, leading to compromised security of derived keys or passwords.

    Note: This is only exploitable when used in the environment running Node.js or io.js in versions lower than 3.0.0.

    How to fix Generation of Predictable Numbers or Identifiers?

    Upgrade pbkdf2 to version 3.1.3 or higher.

    <3.1.3