Home > Vulnerability Database > CVE-2025-54885

Mend.io Vulnerability Database

CVE-2025-54885

Good to know:

Date: August 6, 2025

Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). The client public value is being generated from a private value that is 4 bits below the specification. This reduces the protocol's designed security margin it is now practically exploitable. The servers full sized 2048 bit random number is used to create the shared session key and password proof. This is fixed in version 2.0.1.

Severity Score

7.4

Related Resources (7)

Url: https://github.com/simbo1905/thinbus-srp-npm/security/advisories/GHSA-8q6v-474h-whgg

Url: https://github.com/simbo1905/thinbus-srp-npm

Url: https://github.com/simbo1905/thinbus-srp-npm/pull/30/commits/4aeaea2366e090765a8204059c7bcf3616438d31

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-54885

Url: https://github.com/simbo1905/thinbus-srp-npm/commit/aa7064c1db7294ce867e9bc92f26fa6c71a5a2cb

Url: https://github.com/simbo1905/thinbus-srp-npm/issues/28

Url: https://www.mend.io/vulnerability-database/CVE-2025-54885

Severity Score

7.4

Weakness Type (CWE)

Insufficient Entropy

CWE-331

Top Fix

Upgrade Version

Upgrade to version thinbus-srp - 2.0.1

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-54885

Good to know:

Date: August 6, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?