Security Vulnerability in pbkdf2 Dependency (CVE-2025-6547)

  • Resolved nileshv

    (@nileshv)


    5 months, 2 weeks ago

    I’m reaching out regarding a critical security advisory that may affect your plugin.

    The pbkdf2 Node.js package, which appears in your plugin’s /plugins/cookie-law-info/lite/admin/package-lock.json, is affected by a critical vulnerability (CVE-2025-6547). This issue causes the library to silently return static keys when passed a Uint8Array, potentially leading to cryptographic weaknesses or forged keys.

    Relevant advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6547

    Affected versions: pbkdf2 <= 3.1.2
    Fixed in: pbkdf2 >= 3.1.3

    Could you please let me know:

    • If this dependency is actually used at runtime in the plugin?
    • Whether you have plans to upgrade pbkdf2 to a secure version?
    • If an update is expected soon to address this?
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Ryan (CookieYes Support)

    (@ryancysupport)

    5 months, 2 weeks ago

    Hi @nileshv,

    Thank you for bringing this to our attention and for sharing the detailed advisory.

    We’d like to clarify that the pbkdf2 package referenced in the package-lock.json file is not used at runtime in the plugin itself. The plugin remains secure in operation, and this does not impact the runtime environment or expose any cryptographic risks in production use.

    That said, we take such reports seriously. We have already released a few fixes related to this in our last update, and we are planning to fully address and upgrade this dependency in an upcoming release to ensure complete resolution.

    If you have any further concerns or questions, please feel free to let us know.

    Plugin Support Ryan (CookieYes Support)

    (@ryancysupport)

    5 months, 1 week ago

    Hello @nileshv,

    It has been quite some time since our last communication. As we did not receive any follow-up questions from you, we will mark this thread as resolved.

    Please open a new thread if you have any questions that require our attention.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.