Security Vulnerability in pbkdf2 Dependency (CVE-2025-6547)

  • nileshv

    (@nileshv)


    5 months ago

    I’m reaching out regarding a critical security advisory that may affect your plugin.

    The pbkdf2 Node.js package, which appears in your plugin’s package-lock.json, is affected by a critical vulnerability (CVE-2025-6547). This issue causes the library to silently return static keys when passed a Uint8Array, potentially leading to cryptographic weaknesses or forged keys.

    Relevant advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6547

    Affected versions: pbkdf2 <= 3.1.2
    Fixed in: pbkdf2 >= 3.1.3

    Could you please let me know:

    • If this dependency is actually used at runtime in the plugin?
    • Whether you have plans to upgrade pbkdf2 to a secure version?
    • If an update is expected soon to address this?
Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter nileshv

    (@nileshv)

    4 months, 1 week ago

    Just following up on this — we haven’t received a response yet.

    Could you please confirm:

    • Whether the pbkdf2 dependency is actively used at runtime in the plugin?
    • If there are plans to upgrade to a secure version (>= 3.1.3)?
    • Whether an update is expected soon to address CVE-2025-6547?

    Given the critical nature of the vulnerability, a quick update would be greatly appreciated.

    Thanks again.

    Plugin Author Thomas McMahon

    (@twistermc)

    4 months ago

    It looks like pbkdf2 is a dependency of a few other packages, some of which have recently been updated. Regardless, they’re only used to build out the files, and not used at runtime.

    I’m in the process of updating PDFjs to the latest version and hopefully that’ll be out soon and fix some concerns.

    zhangweibo

    (@zhangweibo)

    3 months, 3 weeks ago

    Upgrading to version 2.2.3 causes the PDF preview to malfunction. Since the plugin is only used to provide PDF previews, I had to roll back to version 2.2.2.

    Plugin Author Thomas McMahon

    (@twistermc)

    3 months, 3 weeks ago

    Do you have any more details? Are there any errors in the console? What browser are you using?

    I didn’t see any issues.

    zhangweibo

    (@zhangweibo)

    3 months, 3 weeks ago

    There’s no error message, but the interface appears gray and the PDF doesn’t display. I’m not sure what the issue is — I’ve tested it in both Chrome and Safari, and the result is the same. Once I rolled back to version 2.2.2, the preview started working normally again.

    Gunu

    (@grafcom)

    3 months, 3 weeks ago

    @zhangweibo

    I had this problem the first time too. I re-entered the PDF and refreshed it.
    Now everything works fine.
    I hope this helps.

    zhangweibo

    (@zhangweibo)

    3 months, 3 weeks ago

    @grafcom

    thanks!

    I didn’t actually try creating a new PDF preview — I was only testing with existing posts. But even if recreating the PDF preview for each one works, it would be a frustrating task, since there are hundreds of posts and it would require repeating the same work over and over again.

    Gunu

    (@grafcom)

    3 months, 3 weeks ago

    @zhangweibo

    Did another test. Restored old backup and updated the plugin again. Nothing changed on the PDF pages. Checked on a different computer (no cache?), and the PDF displays correctly.

    Plugin Author Thomas McMahon

    (@twistermc)

    3 months, 3 weeks ago

    Could be a caching issue. Not sure what’s being cached, but that does sound like the issue.

Viewing 9 replies - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.