[GHSA-v62p-rq8g-8h59] pbkdf2 silently disregards Uint8Array input, returning static keys#6853
[GHSA-v62p-rq8g-8h59] pbkdf2 silently disregards Uint8Array input, returning static keys#6853ljharb wants to merge 1 commit intoljharb/advisory-improvement-6853from
Conversation
|
Hi there @ljharb! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
ljharb/advisory-improvement-6853
There was a problem hiding this comment.
Pull request overview
This PR corrects the affected version range for security advisory GHSA-v62p-rq8g-8h59 related to the pbkdf2 npm package. The advisory addresses a vulnerability where pbkdf2 silently disregards Uint8Array input, returning static keys. According to the PR description, versions 0.0.x were incorrectly included in the affected range because they only wrapped native crypto.pbkdf2 and lacked the vulnerable browser polyfill code.
Changes:
- Updated the minimum affected version from "0" to "1.0.0"
- Removed the
database_specific.last_known_affected_version_rangefield - Updated the advisory modification timestamp
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| "introduced": "1.0.0" |
There was a problem hiding this comment.
The PR description states that "The minimum affected version should be 3.0.3" and suggests "corrected range: >= 3.0.3, < 3.1.3", but this change sets the introduced version to "1.0.0" instead of "3.0.3". This is a significant discrepancy. According to the PR description, versions 1.0.0 through 3.0.2 should not be marked as affected since the vulnerable code path (browser polyfill with incorrect TypedArray handling) was only introduced in version 3.0.3.
There was a problem hiding this comment.
this is intentional; although there are no existing versions in the inclusive range 1 - 2, this is more reliable for the future.
|
I updated the original GHSA, so perhaps this PR isn't needed. |
2 participants
Updates
Comments
The affected version range incorrectly includes pbkdf2 versions 0.0.1, 0.0.2, 0.0.4, and 0.0.5 (the entire 0.0.x line).
These versions only contain an index.js that directly wraps native crypto.pbkdf2/crypto.pbkdf2Sync. They have:
The vulnerable code path — Buffer.from(thing.buffer) which ignores TypedArray byteOffset/byteLength, and incorrect TypedArray/DataView handling in the browser polyfill — does not exist in 0.0.x at all.
The minimum affected version should be 3.0.3, which is the first version containing a browser polyfill with incorrect TypedArray handling.
Suggested corrected range: >= 3.0.3, < 3.1.3