Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-mpj8-q39x-wq5h

CRITICAL

crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

Also known asCVE-2023-46133
Published
Oct 25, 2023
Updated
Nov 8, 2023
Affected
1 pkg
Patched
1 / 1
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk36th percentile+0.26%
0.00%0.32%0.63%0.95%0.2%0.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

crypto-esnpm
139Kdownloads / week

Description

Impact

Summary

Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.

Potential Impact:

  1. If used to protect passwords, the impact is high.
  2. If used to generate signatures, the impact is high.

Probability / risk analysis / attack enumeration:

  1. For at most $45,000, an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has identical cryptographic signature to any chosen known value.
  2. Due to the length extension attack on SHA1, we can create a value that has identical signature to any unknown value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies 'salt' or 'pepper' or any other secret unknown to the attacker. It will still create an identical signature.

crypto-js has 10,642 public users as displayed on NPM, today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.

A very rough GitHub search shows 432 files cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.

Affected versions

All versions are impacted. This code has been the same since crypto-js was first created.

Further Cryptanalysis

The issue here is especially egregious because the length extension attack makes useless any secret that might be appended to the plaintext before calculating its signature.

Consider a scheme in which a secret is created for a user's username, and that secret is used to protect e.g. their passwords. Let's say that password is 'fake-password', and their username is 'example-username'.

To encrypt the user password via symmetric encryption we might do encrypt(plaintext: 'fake-password', encryption_key: cryptojs.pbkdf2(value: 'example username' + salt_or_pepper)). By this means, we would, in theory, create an encryption_key that can be determined from the public username, but which requires the secret salt_or_pepper to generate. This is a common scheme for protecting passwords, as exemplified in bcrypt & scrypt. Because the encryption key is symmetric, we can use this derived key to also decrypt the ciphertext.

Because of the length extension issue, if the attacker obtains (via attack 1), a collision with 'example username', the attacker does not need to know salt_or_pepper to decrypt their account data, only their public username.

Description

PBKDF2 is a key-derivation function that is used for two main purposes: (1) to stretch or squash a variable length password's entropy into a fixed size for consumption by another cryptographic operation and (2) to reduce the chance of downstream operations recovering the password input (for example, for password storage).

Unlike the modern webcrypto standard, crypto-js does not throw an error when a number of iterations is not specified, and defaults to one single iteration. In the year 1993, when PBKDF2 was originally specified, the minimum number of iterations suggested was set at 1,000. Today, OWASP recommends 1,300,000:

https://github.com/entronad/crypto-es/blob/aa48d48413549addc06cd737a272466d5fc1b5e6/lib/pbkdf2.js#L35-L39

Workarounds

Consult the OWASP PBKDF2 Cheatsheet. Configure to use SHA256 with at least 250,000 iterations.

Coordinated disclosure

This issue was simultaneously submitted to crypto-js and crypto-es on the 23rd of October 2023.

Caveats

This issue was found in a security review that was not scoped to crypto-es. This report is not an indication that crypto-es has undergone a formal security assessment by the author.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmcrypto-esall versions2.1.0
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

CryptoES is a cryptography algorithms library compatible with ES6 and Ty…

github.comNVDNov 2023

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for crypto-es. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update crypto-es to 2.1.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-mpj8-q39x-wq5h is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-mpj8-q39x-wq5h is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-mpj8-q39x-wq5h. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact #### Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision
O3 Security · Impact-Aware SCA

Is GHSA-mpj8-q39x-wq5h in your dependencies?

O3 detects GHSA-mpj8-q39x-wq5h across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works