CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

Published: Dec 5, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-35255
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-338

Affected Software
References

Software	From	Fixed in
nodejs / node.js	16.0.0	16.12.0.x
nodejs / node.js	16.13.0	16.17.1
nodejs / node.js	18.0.0	18.9.1
nodejs / node.js	15.0.0	15.14.0.x
siemens / sinec_ins	1.0-sp1	1.0-sp1.x
siemens / sinec_ins	-	1.0
siemens / sinec_ins	1.0	1.0.x
siemens / sinec_ins	1.0-sp2	1.0-sp2.x
debian / debian_linux	11.0	11.0.x

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://hackerone.com/reports/1690000
https://security.netapp.com/advisory/ntap-20230113-0002/
https://www.debian.org/security/2023/dsa-5326

Vulnerability Database

289,599

CVE-2022-35255