Listen to this Post
How the CVE Works
In Node.js versions 0.12 to 2.x, the `pbkdf2` library incorrectly processes `Uint8Array` inputs, silently substituting them with empty buffers. When hashing non-empty `Uint8Array` data, the function outputs the same hash as if given empty inputs (''). This occurs due to a flawed `toBuffer` method, which fails to properly convert typed arrays. As a result, cryptographic keys derived from `Uint8Array` inputs are static, rendering them insecure. The vulnerability also affects dependent libraries, potentially exposing systems using weak or predictable keys.
DailyCVE Form
Platform: Node.js
Version: 0.12-2.x
Vulnerability: PBKDF2 Uint8Array mishandling
Severity: Critical
Date: 2017-09-26
Prediction: Patch unlikely (legacy versions)
What Undercode Say
Reproduce flaw
node -e "console.log(require('pbkdf2').pbkdf2Sync(new Uint8Array([1,2,3]), new Uint8Array([1,3,4]), 1024, 32, 'sha256'))"
Expected (correct) output via crypto module:
node -e "console.log(require('crypto').pbkdf2Sync(new Uint8Array([1,2,3]), new Uint8Array([1,3,4]), 1024, 32, 'sha256'))"
Exploit
- Attackers predict derived keys.
- Brute-force attacks bypassed.
- Compromised authentication mechanisms.
Protection from this CVE
- Upgrade Node.js (≥3.0.0).
- Replace `pbkdf2` with
crypto.pbkdf2. - Audit legacy key usage.
Impact
- Static keys weaken encryption.
- Legacy systems at high risk.
- Requires key regeneration.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
