Listen to this Post
How the CVE Works
The vulnerability occurs in the `pbkdf2-browserify` polyfill when non-standard or case-variant hash algorithms (e.g., sha3-256, SHA-1, sha-512) are used. Instead of generating secure cryptographic keys, the polyfill returns either:
– Zero-filled buffers (in browsers), making keys predictable.
– Uninitialized memory (in Node.js/Bun via pbkdf2/browser), leaking sensitive data.
The flaw stems from improper validation of hash algorithm inputs, where only exact lowercase strings (e.g., 'sha256') work correctly. Any deviation (e.g., 'SHA256', 'sha-256') triggers the bug, breaking PBKDF2’s security guarantees.
DailyCVE Form
Platform: pbkdf2-browserify
Version: < 3.1.2
Vulnerability: Predictable key output
Severity: Critical
Date: 2023-10-11
Prediction: Patch expected by 2023-11-01
What Undercode Say
Check for vulnerable dependencies
npm ls pbkdf2-browserify
Verify PBKDF2 output (Node.js vs. polyfill)
node -e "require('crypto').pbkdf2Sync('test', 'salt', 1000, 64, 'sha3-256').toString('hex')"
// Detect uninitialized memory (Bun/Node.js)
const key = require('pbkdf2/browser').pbkdf2Sync('secret', 'salt', 1000, 64, 'sha512-256');
console.assert(key.includes('\x00'), 'Vulnerable to CVE-2023-44270');
Exploit
1. Predictable Keys: Attackers brute-force zero-filled keys.
2. Memory Leakage: Bun/Node.js exposes uninitialized RAM.
- Polyfill Poisoning: Bundlers (Webpack/Vite) silently inject the flawed polyfill.
Protection from this CVE
- Update to
[email protected]+. - Avoid non-literal hash algorithms (e.g., `’SHA-256’` →
'sha256'). - Replace with `crypto.subtle.importKey()` for browsers.
Impact
- Critical: Compromised encryption, session hijacking.
- Silent Failure: Works in Node.js but fails in bundles.
- Widespread: Affects crypto-browserify, Webpack, Vite, Bun.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
