CWE-330
DiscouragedUse of Insufficiently Random Values
Abstraction: Class · Status: Stable
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
444 vulnerabilities reference this CWE, most recent first.
GHSA-C2GG-RRHC-FVVG
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-02-12 11:32A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.1"
},
{
"fixed": "2.1.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.3"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-7886"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T21:00:15Z",
"nvd_published_at": "2019-08-02T22:15:00Z",
"severity": "HIGH"
},
"details": "A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.",
"id": "GHSA-c2gg-rrhc-fvvg",
"modified": "2024-02-12T11:32:38Z",
"published": "2022-05-24T16:52:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7886"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7886.yaml"
},
{
"type": "WEB",
"url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220121011306/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento 2 Community Edition Cryptographic Flaw"
}
GHSA-C4X2-M5W5-M3RX
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-04-20 03:39A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.
{
"affected": [],
"aliases": [
"CVE-2017-6026"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-30T03:29:00Z",
"severity": "CRITICAL"
},
"details": "A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.",
"id": "GHSA-c4x2-m5w5-m3rx",
"modified": "2025-04-20T03:39:42Z",
"published": "2022-05-13T01:04:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6026"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45918"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C76H-2CCP-4975
Vulnerability from github – Published: 2025-01-21 21:10 – Updated: 2025-01-21 21:10Impact
Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.
If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.
Patches
This is fixed in 5.28.5; 6.21.1; 7.2.3.
Workarounds
Do not issue multipart requests to attacker controlled servers.
References
- https://hackerone.com/reports/2913312
- https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0"
},
{
"fixed": "5.28.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.21.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22150"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-21T21:10:47Z",
"nvd_published_at": "2025-01-21T18:15:14Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.\n\nIf there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.\n\n### Patches\n\nThis is fixed in 5.28.5; 6.21.1; 7.2.3.\n\n### Workarounds\n\nDo not issue multipart requests to attacker controlled servers.\n\n### References\n\n* https://hackerone.com/reports/2913312\n* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f\n",
"id": "GHSA-c76h-2ccp-4975",
"modified": "2025-01-21T21:10:47Z",
"published": "2025-01-21T21:10:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2913312"
},
{
"type": "WEB",
"url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of Insufficiently Random Values in undici"
}
GHSA-C7VF-M394-M4X4
Vulnerability from github – Published: 2024-02-17 06:30 – Updated: 2024-02-20 23:45Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/greenpau/caddy-security"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.42"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21495"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-20T23:45:44Z",
"nvd_published_at": "2024-02-17T05:15:09Z",
"severity": "MODERATE"
},
"details": "Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.",
"id": "GHSA-c7vf-m394-m4x4",
"modified": "2024-02-20T23:45:44Z",
"published": "2024-02-17T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21495"
},
{
"type": "WEB",
"url": "https://github.com/greenpau/caddy-security/issues/265"
},
{
"type": "WEB",
"url": "https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2"
},
{
"type": "WEB",
"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275"
},
{
"type": "PACKAGE",
"url": "github.com/greenpau/caddy-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of Insufficiently Random Values in github.com/greenpau/caddy-security"
}
GHSA-C7XR-736P-29J3
Vulnerability from github – Published: 2022-04-21 01:57 – Updated: 2024-02-06 23:21TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-install"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-install"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-install"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-install"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2010-3666"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-06T23:21:45Z",
"nvd_published_at": "2019-11-04T22:15:00Z",
"severity": "MODERATE"
},
"details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the `uniqid` function.",
"id": "GHSA-c7xr-736p-29j3",
"modified": "2024-02-06T23:21:45Z",
"published": "2022-04-21T01:57:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3666"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/302b35e714ca30ddb71ab36b9cbb2bea760a2f0e"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/352d6066bf09137e86705bc060fd4ab3ba8f9191"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/42324b30546b1e49fb16c916fc71cceb99ad9fd0"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/f6d2e33cfab87c9e44eca275d6755be747e3cd7e"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/install"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3666"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 is vulnerable to Insecure randomness in uniqid function"
}
GHSA-C8J2-M9GV-4P68
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-08-07 00:00Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network.
{
"affected": [],
"aliases": [
"CVE-2020-15023"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network.",
"id": "GHSA-c8j2-m9gv-4p68",
"modified": "2022-08-07T00:00:29Z",
"published": "2022-05-24T17:36:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15023"
},
{
"type": "WEB",
"url": "https://medium.com/csg-govtech/bolstering-security-how-i-breached-a-wifi-mesh-access-point-from-close-proximity-to-uncover-f8f77dc3cd5d"
},
{
"type": "WEB",
"url": "https://www.askey.com.tw/Products/wifi.html"
},
{
"type": "WEB",
"url": "https://www.askey.com.tw/incident_report_notifications.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C9Q6-G3HR-8GWW
Vulnerability from github – Published: 2026-01-13 14:55 – Updated: 2026-01-21 16:23Vulnerability
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594
Uses java.util.Random() which is not cryptographically secure.
Impact
If an attacker can predict the random delays, they may still be able to perform timing attacks.
Patches
Jervis will use SecureRandom for timing randomization.
Upgrade to Jervis 2.2.
Workarounds
None
References
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.gleske:jervis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68704"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T14:55:35Z",
"nvd_published_at": "2026-01-13T20:16:07Z",
"severity": "HIGH"
},
"details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594\n\nUses `java.util.Random()` which is not cryptographically secure.\n\n### Impact\n\nIf an attacker can predict the random delays, they may still be able to perform timing attacks.\n\n### Patches\n\nJervis will use `SecureRandom` for timing randomization.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)",
"id": "GHSA-c9q6-g3hr-8gww",
"modified": "2026-01-21T16:23:22Z",
"published": "2026-01-13T14:55:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68704"
},
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
},
{
"type": "PACKAGE",
"url": "https://github.com/samrocketman/jervis"
},
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594"
},
{
"type": "WEB",
"url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jervis Has Weak Random for Timing Attack Mitigation"
}
GHSA-C9VV-FHGV-CJC3
Vulnerability from github – Published: 2024-02-21 02:54 – Updated: 2024-02-21 18:57Impact
The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation.
Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. Users are asked to take proactive measures mentioned below in Workarounds:Users to protect their assets.
Patches
Patch for the vulnerability is available in v1.0.1 for all the packages listed in the advisory. Please upgrade and deploy your canisters immediately.
Workarounds
Developers
The recommended fix is to upgrade the package to the patched version. If that is not possible, there are couple of workarounds to handle the insecure key generation.
- Invoking the function as
Ed25519KeyIdentity.generate(null)would fix the broken conditional evaluation and force the function to generate a securely random seed. However, this is not guaranteed to work for future upgrades. - Passing a securely generated randomness as a seed to
Ed25519KeyIdentity.generatewould force the library to use it as the seed to generate the key pair.
Users
Removing a controller of a canister if it's the affected principal
For all canisters you control, fetch the controllers of the canisters using
dfx canister info --ic <CANISTER>
If you see the principal 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe as one of the controllers, follow the steps below
dfx identity whoami # record CURRENT_IDENTITY
dfx identity new <NEW_IDENTITY_NAME>
dfx identity use <NEW_IDENTITY_NAME>
dfx identity get-principal <NEW_IDENTITY_NAME> # record NEW_IDENTITY_PRINCIPAL
dfx identity use <CURRENT_IDENTITY>
dfx canister update-settings --ic <CANISTER> --add-controller <NEW_IDENTITY_PRINCIPAL>
dfx canister update-settings --ic <CANISTER> --remove-controller `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`
For more details on canister management, please visit here
Checking funds on wallets / ledgers
If you have funds on ledgers using a browser wallet, please check if the account principal matches 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe. If it does, please create a new account and transfer the funds to the new account immediately.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@dfinity/identity"
},
"ranges": [
{
"events": [
{
"introduced": "0.20.0-beta.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@dfinity/auth-client"
},
"ranges": [
{
"events": [
{
"introduced": "0.20.0-beta.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-1631"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T02:54:56Z",
"nvd_published_at": "2024-02-21T03:15:08Z",
"severity": "CRITICAL"
},
"details": "## Impact\n\nThe library offers a function to generate an ed25519 key pair via `Ed25519KeyIdentity.generate` with an optional param to provide a 32 byte seed value, which will then be used as the secret key. **When no seed value is provided, it is expected that the library generates the secret key using secure randomness**. However, a recent change **broke this guarantee** and **uses an insecure seed for key pair generation**.\n\nSince the private key of this identity (`535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. Users are asked to take proactive measures mentioned below in Workarounds:Users to protect their assets. \n\n## Patches\nPatch for the vulnerability is **available in v1.0.1** for all the packages listed in the advisory. Please upgrade and deploy your canisters immediately. \n\n## Workarounds\n\n### Developers\n\nThe recommended fix is to upgrade the package to the patched version. If that is not possible, there are couple of workarounds to handle the insecure key generation.\n\n1. Invoking the function as `Ed25519KeyIdentity.generate(null)` would fix the broken conditional evaluation and force the function to generate a securely random seed. However, this is not guaranteed to work for future upgrades.\n2. Passing a securely generated randomness as a seed to `Ed25519KeyIdentity.generate` would force the library to use it as the seed to generate the key pair.\n\n### Users\n\n#### Removing a controller of a canister if it\u0027s the affected principal\n\nFor all canisters you control, fetch the controllers of the canisters using \n```sh\ndfx canister info --ic \u003cCANISTER\u003e\n```\nIf you see the principal `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe` as one of the controllers, follow the steps below \n```sh\ndfx identity whoami # record CURRENT_IDENTITY\n\ndfx identity new \u003cNEW_IDENTITY_NAME\u003e \ndfx identity use \u003cNEW_IDENTITY_NAME\u003e \ndfx identity get-principal \u003cNEW_IDENTITY_NAME\u003e # record NEW_IDENTITY_PRINCIPAL\n\ndfx identity use \u003cCURRENT_IDENTITY\u003e\ndfx canister update-settings --ic \u003cCANISTER\u003e --add-controller \u003cNEW_IDENTITY_PRINCIPAL\u003e\ndfx canister update-settings --ic \u003cCANISTER\u003e --remove-controller `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`\n```\nFor more details on canister management, please visit [here](https://internetcomputer.org/docs/current/tutorials/developer-journey/level-1/1.6-managing-canisters)\n\n#### Checking funds on wallets / ledgers\n\nIf you have funds on ledgers using a browser wallet, please check if the account principal matches `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`. If it does, please create a new account and transfer the funds to the new account immediately.\n\n## References\n\n1. [fix PR link](https://github.com/dfinity/agent-js/pull/851)\n2. [NPM patched version](https://www.npmjs.com/package/@dfinity/identity/v/1.0.1)\n3. [agent-js Github repo](https://github.com/dfinity/agent-js)\n4. [agent-js docs](https://agent-js.icp.xyz/identity/index.html)\n\n",
"id": "GHSA-c9vv-fhgv-cjc3",
"modified": "2024-02-21T18:57:59Z",
"published": "2024-02-21T02:54:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1631"
},
{
"type": "WEB",
"url": "https://github.com/dfinity/agent-js/pull/851"
},
{
"type": "WEB",
"url": "https://agent-js.icp.xyz/identity/index.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/dfinity/agent-js"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@dfinity/identity/v/1.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`"
}
GHSA-CGXW-QRQF-JQQ9
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2014-6311"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-22T19:15:00Z",
"severity": "CRITICAL"
},
"details": "generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.",
"id": "GHSA-cgxw-qrqf-jqq9",
"modified": "2024-04-03T23:59:27Z",
"published": "2022-05-17T19:57:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6311"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760709"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-6311"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/09/11/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/09/12/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CH86-PXR9-J9H9
Vulnerability from github – Published: 2026-04-03 21:31 – Updated: 2026-04-07 14:24Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T14:24:10Z",
"nvd_published_at": "2026-04-03T21:17:11Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.",
"id": "GHSA-ch86-pxr9-j9h9",
"modified": "2026-04-07T14:24:10Z",
"published": "2026-04-03T21:31:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter",
"withdrawn": "2026-04-07T14:24:10Z"
}
Mitigation
- Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
- In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
- Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation
Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Mitigation MIT-2
Strategy: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-485: Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.