Skip to content

Fix critical pbkdf2 vulnerabilities#16943

Merged
wackerow merged 2 commits into
devfrom
fix/security-pbkdf2-vulnerability
Jan 13, 2026
Merged

Fix critical pbkdf2 vulnerabilities#16943
wackerow merged 2 commits into
devfrom
fix/security-pbkdf2-vulnerability

Conversation

@minimalsm
Copy link
Copy Markdown
Contributor

@minimalsm minimalsm commented Dec 18, 2025

Summary

  • Adds pnpm override to force pbkdf2 >= 3.1.3
  • Fixes two critical vulnerabilities:
    1. pbkdf2 silently disregards Uint8Array input, returning static keys
    2. pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algorithms

Security Advisories

Test plan

  • Verified all pbkdf2 instances upgraded to 3.1.5 via pnpm why pbkdf2
  • CI passes

@minimalsm
Fix critical pbkdf2 vulnerabilities (CVE)
4ee3192 
Override pbkdf2 to >=3.1.3 to fix two critical vulnerabilities:
- Silently disregards Uint8Array input, returning static keys
- Returns predictable uninitialized/zero-filled memory for non-normalized algos
@github-actions github-actions Bot added the dependencies 📦 Changes related to project dependencies label Dec 18, 2025
@netlify
Copy link
Copy Markdown

netlify Bot commented Dec 18, 2025
edited
Loading

Deploy Preview for ethereumorg ready!

Name Link
🔨 Latest commit 22eae21
🔍 Latest deploy log https://app.netlify.com/projects/ethereumorg/deploys/6965bbfc424d64000874e92b
😎 Deploy Preview https://deploy-preview-16943.ethereum.it
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 7 paths audited
Performance: 58 (🟢 up 6 from production)
Accessibility: 94 (no change from production)
Best Practices: 100 (🟢 up 1 from production)
SEO: 100 (no change from production)
PWA: 59 (no change from production)
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@wackerow wackerow merged commit ec43d0c into dev Jan 13, 2026
6 of 7 checks passed
@wackerow wackerow deleted the fix/security-pbkdf2-vulnerability branch January 13, 2026 03:29
@wackerow wackerow mentioned this pull request Jan 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wackerow wackerow wackerow approved these changes

@pettinarip pettinarip Awaiting requested review from pettinarip pettinarip is a code owner

+1 more reviewer

@corwintines corwintines corwintines approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies 📦 Changes related to project dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@minimalsm @corwintines @wackerow