Insecure Randomness

Affecting crypto-js package, versions >=3.3.0 <4.0.0 || <3.2.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

crypto-js is a library of crypto standards.

Affected versions of this package are vulnerable to Insecure Randomness. The secureRandom() method is supposed to return a cryptographically strong pseudo-random data string, but it is biased to certain digits. An attacker could be able to guess the created digits.

Remediation

Upgrade crypto-js to version 4.0.0, 3.2.1 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:R
Credit
Unknown
CWE
CWE-331
Snyk ID
SNYK-JS-CRYPTOJS-548472
Disclosed
11 Feb, 2020
Published
11 Feb, 2020