Protocol Compliance Bug in Thinbus Javascript Secure Remote Password
CVE-2025-54885

6.9MEDIUM

Key Information:

Vendor

Simbo1905

Status
Thinbus-srp-npm
Vendor
CVE Published:
7 August 2025

What is CVE-2025-54885?

A protocol compliance issue in Thinbus Javascript Secure Remote Password versions 2.0.0 and below allows for the generation of a fixed 252 bits of entropy instead of the intended safe prime bit length of 2048 bits. This oversight results in a client public value derived from a private value that falls short of the specification by 4 bits. Consequently, the security margin of the protocol is diminished, leading to practical exploitability. The server utilizes its full-sized 2048-bit random number to create shared session keys and password proofs. This vulnerability is addressed in version 2.0.1.

Affected Version(s)

thinbus-srp-npm < 2.0.1

References

https://github.com/simbo1905/thinbus-srp-npm/security/adv...
x_refsource_CONFIRM
https://github.com/simbo1905/thinbus-srp-npm/issues/28
x_refsource_MISC
https://github.com/simbo1905/thinbus-srp-npm/pull/30/comm...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.
CVE-2025-54885 : Protocol Compliance Bug in Thinbus Javascript Secure Remote Password