Insecure Randomness

Affecting node-uuid package, versions <1.4.4

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node-uuid is a Simple, fast generation of RFC4122 UUIDS.

Affected versions of this package are vulnerable to Insecure Randomness. It uses the cryptographically insecure Math.random which can produce predictable values and should not be used in security-sensitive context.

Remediation

Upgrade node-uuid to version 1.4.4 or greater.

References

Snyk patch available for versions:

CVSS Score

4.2
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Fedot Praslov
CVE
CVE-2015-8851
CWE
CWE-330
Snyk ID
npm:node-uuid:20160328
Disclosed
28 Mar, 2016
Published
28 Mar, 2016