CVE-2025-53884: NeuVector has an insecure password storage vulnerable to rainbow attack

August 28, 2025 (updated September 17, 2025)

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2 algorithm to create the hash value for the following actions:

Creating a user
Updating a user’s password
Creating an API key

Note: After upgrading to NeuVector 5.4.6, users must log in again so that NeuVector can regenerate the password hash. For API keys, you must send at least one request per API key to regenerate its hash value.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-53884 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →