Common Weakness Enumeration

CWE-330

Discouraged

Use of Insufficiently Random Values

Abstraction: Class · Status: Stable

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

444 vulnerabilities reference this CWE, most recent first.

GHSA-C2GG-RRHC-FVVG

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-02-12 11:32
VLAI
Summary
Magento 2 Community Edition Cryptographic Flaw
Details

A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1"
            },
            {
              "fixed": "2.1.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-7886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T21:00:15Z",
    "nvd_published_at": "2019-08-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.",
  "id": "GHSA-c2gg-rrhc-fvvg",
  "modified": "2024-02-12T11:32:38Z",
  "published": "2022-05-24T16:52:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7886"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7886.yaml"
    },
    {
      "type": "WEB",
      "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220121011306/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento 2 Community Edition Cryptographic Flaw"
}

GHSA-C4X2-M5W5-M3RX

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-04-20 03:39
VLAI
Details

A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T03:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.",
  "id": "GHSA-c4x2-m5w5-m3rx",
  "modified": "2025-04-20T03:39:42Z",
  "published": "2022-05-13T01:04:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6026"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45918"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C76H-2CCP-4975

Vulnerability from github – Published: 2025-01-21 21:10 – Updated: 2025-01-21 21:10
VLAI
Summary
Use of Insufficiently Random Values in undici
Details

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

  • https://hackerone.com/reports/2913312
  • https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "5.28.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.21.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-22150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T21:10:47Z",
    "nvd_published_at": "2025-01-21T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.\n\nIf there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.\n\n### Patches\n\nThis is fixed in 5.28.5; 6.21.1; 7.2.3.\n\n### Workarounds\n\nDo not issue multipart requests to attacker controlled servers.\n\n### References\n\n* https://hackerone.com/reports/2913312\n* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f\n",
  "id": "GHSA-c76h-2ccp-4975",
  "modified": "2025-01-21T21:10:47Z",
  "published": "2025-01-21T21:10:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2913312"
    },
    {
      "type": "WEB",
      "url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Insufficiently Random Values in undici"
}

GHSA-C7VF-M394-M4X4

Vulnerability from github – Published: 2024-02-17 06:30 – Updated: 2024-02-20 23:45
VLAI
Summary
Use of Insufficiently Random Values in github.com/greenpau/caddy-security
Details

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/greenpau/caddy-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T23:45:44Z",
    "nvd_published_at": "2024-02-17T05:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.",
  "id": "GHSA-c7vf-m394-m4x4",
  "modified": "2024-02-20T23:45:44Z",
  "published": "2024-02-17T06:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/greenpau/caddy-security/issues/265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2"
    },
    {
      "type": "WEB",
      "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/greenpau/caddy-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Insufficiently Random Values in github.com/greenpau/caddy-security"
}

GHSA-C7XR-736P-29J3

Vulnerability from github – Published: 2022-04-21 01:57 – Updated: 2024-02-06 23:21
VLAI
Summary
TYPO3 is vulnerable to Insecure randomness in uniqid function
Details

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-install"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2010-3666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-06T23:21:45Z",
    "nvd_published_at": "2019-11-04T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the `uniqid` function.",
  "id": "GHSA-c7xr-736p-29j3",
  "modified": "2024-02-06T23:21:45Z",
  "published": "2022-04-21T01:57:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/302b35e714ca30ddb71ab36b9cbb2bea760a2f0e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/352d6066bf09137e86705bc060fd4ab3ba8f9191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/42324b30546b1e49fb16c916fc71cceb99ad9fd0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/f6d2e33cfab87c9e44eca275d6755be747e3cd7e"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/install"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2010-3666"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 is vulnerable to Insecure randomness in uniqid function"
}

GHSA-C8J2-M9GV-4P68

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-08-07 00:00
VLAI
Details

Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network.",
  "id": "GHSA-c8j2-m9gv-4p68",
  "modified": "2022-08-07T00:00:29Z",
  "published": "2022-05-24T17:36:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15023"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/csg-govtech/bolstering-security-how-i-breached-a-wifi-mesh-access-point-from-close-proximity-to-uncover-f8f77dc3cd5d"
    },
    {
      "type": "WEB",
      "url": "https://www.askey.com.tw/Products/wifi.html"
    },
    {
      "type": "WEB",
      "url": "https://www.askey.com.tw/incident_report_notifications.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9Q6-G3HR-8GWW

Vulnerability from github – Published: 2026-01-13 14:55 – Updated: 2026-01-21 16:23
VLAI
Summary
Jervis Has Weak Random for Timing Attack Mitigation
Details

Vulnerability

https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594

Uses java.util.Random() which is not cryptographically secure.

Impact

If an attacker can predict the random delays, they may still be able to perform timing attacks.

Patches

Jervis will use SecureRandom for timing randomization.

Upgrade to Jervis 2.2.

Workarounds

None

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "net.gleske:jervis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T14:55:35Z",
    "nvd_published_at": "2026-01-13T20:16:07Z",
    "severity": "HIGH"
  },
  "details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594\n\nUses `java.util.Random()` which is not cryptographically secure.\n\n### Impact\n\nIf an attacker can predict the random delays, they may still be able to perform timing attacks.\n\n### Patches\n\nJervis will use `SecureRandom` for timing randomization.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)",
  "id": "GHSA-c9q6-g3hr-8gww",
  "modified": "2026-01-21T16:23:22Z",
  "published": "2026-01-13T14:55:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68704"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samrocketman/jervis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L593-L594"
    },
    {
      "type": "WEB",
      "url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jervis Has Weak Random for Timing Attack Mitigation"
}

GHSA-C9VV-FHGV-CJC3

Vulnerability from github – Published: 2024-02-21 02:54 – Updated: 2024-02-21 18:57
VLAI
Summary
agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`
Details

Impact

The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation.

Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. Users are asked to take proactive measures mentioned below in Workarounds:Users to protect their assets.

Patches

Patch for the vulnerability is available in v1.0.1 for all the packages listed in the advisory. Please upgrade and deploy your canisters immediately.

Workarounds

Developers

The recommended fix is to upgrade the package to the patched version. If that is not possible, there are couple of workarounds to handle the insecure key generation.

  1. Invoking the function as Ed25519KeyIdentity.generate(null) would fix the broken conditional evaluation and force the function to generate a securely random seed. However, this is not guaranteed to work for future upgrades.
  2. Passing a securely generated randomness as a seed to Ed25519KeyIdentity.generate would force the library to use it as the seed to generate the key pair.

Users

Removing a controller of a canister if it's the affected principal

For all canisters you control, fetch the controllers of the canisters using

dfx canister info --ic <CANISTER>

If you see the principal 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe as one of the controllers, follow the steps below

dfx identity whoami # record CURRENT_IDENTITY

dfx identity new <NEW_IDENTITY_NAME> 
dfx identity use <NEW_IDENTITY_NAME> 
dfx identity get-principal <NEW_IDENTITY_NAME> # record NEW_IDENTITY_PRINCIPAL

dfx identity use <CURRENT_IDENTITY>
dfx canister update-settings --ic <CANISTER> --add-controller <NEW_IDENTITY_PRINCIPAL>
dfx canister update-settings --ic <CANISTER> --remove-controller `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`

For more details on canister management, please visit here

Checking funds on wallets / ledgers

If you have funds on ledgers using a browser wallet, please check if the account principal matches 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe. If it does, please create a new account and transfer the funds to the new account immediately.

References

  1. fix PR link
  2. NPM patched version
  3. agent-js Github repo
  4. agent-js docs
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@dfinity/identity"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.20.0-beta.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@dfinity/auth-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.20.0-beta.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T02:54:56Z",
    "nvd_published_at": "2024-02-21T03:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\n\nThe library offers a function to generate an ed25519 key pair via `Ed25519KeyIdentity.generate` with an optional param to provide a 32 byte seed value, which will then be used as the secret key. **When no seed value is provided, it is expected that the library generates the secret key using secure randomness**. However, a recent change **broke this guarantee** and **uses an insecure seed for key pair generation**.\n\nSince the private key of this identity (`535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. Users are asked to take proactive measures mentioned below in Workarounds:Users to protect their assets. \n\n## Patches\nPatch for the vulnerability is **available in v1.0.1** for all the packages listed in the advisory. Please upgrade and deploy your canisters immediately. \n\n## Workarounds\n\n### Developers\n\nThe recommended fix is to upgrade the package to the patched version. If that is not possible, there are couple of workarounds to handle the insecure key generation.\n\n1. Invoking the function as `Ed25519KeyIdentity.generate(null)` would fix the broken conditional evaluation and force the function to generate a securely random seed. However, this is not guaranteed to work for future upgrades.\n2. Passing a securely generated randomness as a seed to `Ed25519KeyIdentity.generate` would force the library to use it as the seed to generate the key pair.\n\n### Users\n\n#### Removing a controller of a canister if it\u0027s the affected principal\n\nFor all canisters you control, fetch the controllers of the canisters using \n```sh\ndfx canister info --ic \u003cCANISTER\u003e\n```\nIf you see the principal `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe` as one of the controllers, follow the steps below \n```sh\ndfx identity whoami # record CURRENT_IDENTITY\n\ndfx identity new \u003cNEW_IDENTITY_NAME\u003e \ndfx identity use \u003cNEW_IDENTITY_NAME\u003e \ndfx identity get-principal \u003cNEW_IDENTITY_NAME\u003e # record NEW_IDENTITY_PRINCIPAL\n\ndfx identity use \u003cCURRENT_IDENTITY\u003e\ndfx canister update-settings --ic \u003cCANISTER\u003e --add-controller \u003cNEW_IDENTITY_PRINCIPAL\u003e\ndfx canister update-settings --ic \u003cCANISTER\u003e --remove-controller `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`\n```\nFor more details on canister management, please visit [here](https://internetcomputer.org/docs/current/tutorials/developer-journey/level-1/1.6-managing-canisters)\n\n#### Checking funds on wallets /  ledgers\n\nIf you have funds on ledgers using a browser wallet, please check if the account principal matches `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`. If it does, please create a new account and transfer the funds to the new account immediately.\n\n## References\n\n1. [fix PR link](https://github.com/dfinity/agent-js/pull/851)\n2. [NPM patched version](https://www.npmjs.com/package/@dfinity/identity/v/1.0.1)\n3. [agent-js Github repo](https://github.com/dfinity/agent-js)\n4. [agent-js docs](https://agent-js.icp.xyz/identity/index.html)\n\n",
  "id": "GHSA-c9vv-fhgv-cjc3",
  "modified": "2024-02-21T18:57:59Z",
  "published": "2024-02-21T02:54:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1631"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dfinity/agent-js/pull/851"
    },
    {
      "type": "WEB",
      "url": "https://agent-js.icp.xyz/identity/index.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dfinity/agent-js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@dfinity/identity/v/1.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`"
}

GHSA-CGXW-QRQF-JQQ9

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59
VLAI
Details

generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-6311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-22T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.",
  "id": "GHSA-cgxw-qrqf-jqq9",
  "modified": "2024-04-03T23:59:27Z",
  "published": "2022-05-17T19:57:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6311"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760709"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2014-6311"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/11/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/12/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CH86-PXR9-J9H9

Vulnerability from github – Published: 2026-04-03 21:31 – Updated: 2026-04-07 14:24
VLAI
Summary
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T14:24:10Z",
    "nvd_published_at": "2026-04-03T21:17:11Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.",
  "id": "GHSA-ch86-pxr9-j9h9",
  "modified": "2026-04-07T14:24:10Z",
  "published": "2026-04-03T21:31:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter",
  "withdrawn": "2026-04-07T14:24:10Z"
}

Mitigation
Architecture and Design
  • Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
  • In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
  • Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation
Implementation

Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.

Mitigation MIT-2
Architecture and Design Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-485: Signature Spoofing by Key Recreation

An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.