Insecure Randomness

Affecting uuid package, versions <1.3.1

Do your applications use this vulnerable package? Test your applications

Overview

uuid is RFC4122 (v1 and v4) generator.

Affected versions of the package use the Math.random() function which may generate already-used numbers after 24,000 cycles, making the values predictable for objects requiring unpredictability. It is possible for an attacker to guess the next value to be generated and may use this to access sensitive information.

Remediation

Upgrade uuid to version 1.3.1 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Robert Kieffer
CWE
CWE-330
Snyk ID
npm:uuid:20111230
Disclosed
29 Dec, 2011
Published
13 Feb, 2017