<p>Upgrade <code>generate-password</code> to version 1.4.1 or higher.</p>

Cryptographic Backdoor Affecting generate-password package, versions <1.4.1

Snyk CVSS

Attack Complexity High

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-GENERATEPASSWORD-73498
published 10 Jan 2019
disclosed 14 Dec 2018
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 14 Dec 2018

CWE-310 Open this link in a new tab

How to fix?

Upgrade generate-password to version 1.4.1 or higher.

Overview

generate-password is a relatively extensive library for generating random and unique passwords.

Affected versions of this package are vulnerable to Cryptographic Backdoor. It generates random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.

References

GitHub Commit
GitHub PR
NPM Security Advisory