Affecting text-qrcode package, ALL versions
text-qrcode is a QR Code Generator.
Affected versions of this package are vulnerable to Malicious Package. It contains a malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.
Do your applications use this vulnerable package?
- Snyk ID
- 29 Nov, 2018
- 10 Jan, 2019