CVE-2025-54885
MEDIUM EPSS 35.8%
Published Aug 7, 202510mo ago · Modified Jun 17, 20261w ago
6.9 CVSS 4.0
Published Aug 7, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago
Description
Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). The client public value is being generated from a private value that is 4 bits below the specification. This reduces the protocol's designed security margin it is now practically exploitable. The servers full sized 2048 bit random number is used to create the shared session key and password proof. This is fixed in version 2.0.1.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
35.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-331
References 3
- github.com https://github.com/simbo1905/thinbus-srp-npm/issues/28
- github.com https://github.com/simbo1905/thinbus-srp-npm/pull/30/commits/4aeaea2366e090765a8204059c7bcf3616438d31
- github.com https://github.com/simbo1905/thinbus-srp-npm/security/advisories/GHSA-8q6v-474h-whgg
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.