CVE-2022-35255
CRITICALNode.js 15.0.0-15.13.0 and 16.13.0-16.17.0 - Weak Cryptographic Key Generation via WebCrypto EntropySource
Title source: llmDescription
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
References (4)
Core 4
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5326
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1690000
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230113-0002/
Scores
CVSS v3
9.1
EPSS
0.0187
EPSS Percentile
76.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-338
Status
published
Products (5)
debian/debian_linux
11.0
nodejs/node.js
15.0.0 - 15.14.0
nodejs/node.js
16.13.0 - 16.17.1
siemens/sinec_ins
1.0 (3 CPE variants)
siemens/sinec_ins
< 1.0
Published
Dec 05, 2022
Tracked Since
Feb 18, 2026