x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-8ff6-pc43-jwv3

Advisory [GHSA-8ff6-pc43-jwv3](https://github.com/advisories/GHSA-8ff6-pc43-jwv3) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/neuvector/neuvector](https://pkg.go.dev/github.com/neuvector/neuvector) |

Description:
### Impact

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2 algorithm to create the hash value for the following actions:

- Creating a user
- Updating a user’s password
- Creating an API key

**Note:** After upgrading to NeuVector 5.4.6, users must log in again so that NeuVector can regenerate the password hash. For API keys, you must send at least ...

References:
- ADVISORY: https://github.com/advisories/GHSA-8ff6-pc43-jwv3
- ADVISORY: https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3

Cross references:
- github.com/neuvector/neuvector appears in 2 other report(s):
  - data/excluded/GO-2023-2103.yaml    (https://github.com/golang/vulndb/issues/2103)    EFFECTIVELY_PRIVATE
  - data/reports/GO-2024-3201.yaml    (https://github.com/golang/vulndb/issues/3201)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/neuvector/neuvector
      non_go_versions:
        - introduced: 5.0.0
        - fixed: 5.4.6
      vulnerable_at: 0.0.0-20250825182344-addc9308b3a6
summary: NeuVector has an insecure password storage vulnerable to rainbow attack in github.com/neuvector/neuvector
cves:
    - CVE-2025-53884
ghsas:
    - GHSA-8ff6-pc43-jwv3
references:
    - advisory: https://github.com/advisories/GHSA-8ff6-pc43-jwv3
    - advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3
source:
    id: GHSA-8ff6-pc43-jwv3
    created: 2025-08-28T14:01:35.986049123Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-8ff6-pc43-jwv3 #3917

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/neuvector/neuvector: GHSA-8ff6-pc43-jwv3 #3917

Description

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions