Description

Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). The client public value is being generated from a private value that is 4 bits below the specification. This reduces the protocol's designed security margin it is now practically exploitable. The servers full sized 2048 bit random number is used to create the shared session key and password proof. This is fixed in version 2.0.1.

INFO

Published Date :

2025-08-07T00:02:42.612Z

Last Modified :

2025-08-07T14:13:18.243Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54885 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54885.

URL Resource
https://github.com/simbo1905/thinbus-srp-npm/issues/28 cve-icon cve-icon
https://github.com/simbo1905/thinbus-srp-npm/pull/30/commits/4aeaea2366e090765a8204059c7bcf3616438d31 cve-icon cve-icon
https://github.com/simbo1905/thinbus-srp-npm/security/advisories/GHSA-8q6v-474h-whgg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability