CVE-2025-53884

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

NeuVector has an insecure password storage vulnerable to rainbow attack in github.com/neuvector/neuvector. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/neuvector/neuvector from v5.0.0 before v5.4.6.

### Impact NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed). NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2 algorithm to create the hash value for the following actions: - Creating a user - Updating a user’s password - Creating an API key **Note:** After upgrading to NeuVector 5.4.6, users must log in again so that NeuVector can regenerate the password hash. For API keys, you must send at least one request per API key to regenerate its hash value. ### Patches This issue is fixed in NeuVector version **5.4.6** and later. ### Workarounds There is no workaround. Upgrade to a patched version of NeuVector as soon as possible. ### References If you have any questions or comments about this advisory: - Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. - Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository. - Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).

NeuVector almacena las contraseñas de usuario y las claves de API utilizando un hash simple y sin hash. Este método es vulnerable a ataques de tabla arcoíris (un ataque fuera de línea donde los hashes de contraseñas conocidas se precalculan).