PT-2022-22662 · Node.Js+6 · Node.Js+6
Bnoordhuis
·
Published
2022-09-23
·
Updated
2026-05-18
·
CVE-2022-35255
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Node.js version 18
Description
A weak randomness issue exists in the WebCrypto keygen due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto keygen.cc. There are two main problems:
- The return value of EntropySource() is not checked, assuming it always succeeds, but it can fail.
- The random data returned by EntropySource() may not be cryptographically strong, making it unsuitable as keying material.
Recommendations
For Node.js version 18, consider disabling the use of WebCrypto keygen until a patch is available to address the weak randomness issue. Restrict access to the affected
EntropySource() function to minimize the risk of exploitation. Avoid using the SecretKeyGenTraits::DoKeyGen() function in src/crypto/crypto keygen.cc until the issue is resolved.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Node.Js
Red Hat
Rocky Linux
Suse