You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please update crypto-es to version 2.1.0 or higher. Currently used version 1.2.2 marked by dependabot as critical vulnerability.
Additional context
Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.
Potential Impact:
If used to protect passwords, the impact is high.
If used to generate signatures, the impact is high.
Probability / risk analysis / attack enumeration
For at most $45,000, an attacker, given control of only the beginning of a crypto-js PBKDF2 input, can create a value which has identical cryptographic signature to any chosen known value.
Due to the length extension attack on SHA1, we can create a value that has identical signature to any unknown value, provided it is prefixed by a known value. It does not matter if PBKDF2 applies 'salt' or 'pepper' or any other secret unknown to the attacker. It will still create an identical signature.
crypto-js has 10,642 public users as displayed on NPM, today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.
A very rough GitHub search shows 432 files cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.
The text was updated successfully, but these errors were encountered:
Please update crypto-es to version
2.1.0or higher. Currently used version1.2.2marked by dependabot as critical vulnerability.Additional context
Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. Remediation of this issue might be very difficult, as the changes required to fix this issue would change the output of this method and thus break most, if not all, current uses of this method as configured by default.
Potential Impact:
Probability / risk analysis / attack enumeration
crypto-js has 10,642 public users as displayed on NPM, today October 11th 2023. The number of transient dependents is likely several orders of magnitude higher.
A very rough GitHub search shows 432 files cross GitHub using PBKDF2 in crypto-js in Typescript or JavaScript, but not specifying any number of iterations.
The text was updated successfully, but these errors were encountered: