Malicious Package

Affecting text-qrcode package, ALL versions

high severity

Overview

text-qrcode is a QR Code Generator.

Affected versions of this package are vulnerable to Malicious Package. It contains a malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.

Remediation

Avoid using text-qrcode altogether.

References

Do your applications use this vulnerable package?

Credit
Unknown
CWE
CWE-506
Snyk ID
SNYK-JS-TEXTQRCODE-73501
Disclosed
29 Nov, 2018
Published
10 Jan, 2019