CVE-2022-35255

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-35255
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35255.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-35255
Aliases
Downstream
Related
Published
2022-12-05T22:15:10.513Z
Modified
2026-03-15T22:45:13.569749Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
d683e3dda09b6b3cc6cad6fd2c106e3061a48f0d
Last affected
1a34e9c24bf6dd07ff575a8c198f93cd5e8d15b9
Introduced
7162e686b18d22b4385fa5c04274fb04dbd810c7
Last affected
49415500bb1bf51a1fade5ea2d03f3988ecabc25
Introduced
40ecd5601193c316e62e9216e8a4259130686208
Fixed
6b06e89c7dfccec6792008302af1cee57649445c
Introduced
49a77a5a996a49e8cb728eed42e55a7c1a9eef6e
Fixed
df3ed1e89299e4c8f006fc20e22265a889c97919
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b82bb600370db7207a39e53329af228f6af3ffa1
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b82bb600370db7207a39e53329af228f6af3ffa1
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
545959468fbc878e7f0a486264eebbdf06a57bea
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b65a11e072cf751d8c2a9699451ef80022d4ffbc
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
cea049bcf8bb0f9a6e0095dbd5dffdb14dc8f71b
Database specific 
{
    "versions": [
        {
            "introduced": "15.0.0"
        },
        {
            "last_affected": "15.14.0"
        },
        {
            "introduced": "16.0.0"
        },
        {
            "last_affected": "16.12.0"
        },
        {
            "introduced": "16.13.0"
        },
        {
            "fixed": "16.17.1"
        },
        {
            "introduced": "18.0.0"
        },
        {
            "fixed": "18.9.1"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0-sp1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0-sp2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.0"
        }
    ]
}

Affected versions

v15.*
v15.0.0
v16.*
v16.0.0
v16.1.0
v16.10.0
v16.11.0
v16.11.1
v16.12.0
v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.16.0
v16.17.0
v16.2.0
v16.3.0
v16.4.0
v16.4.1
v16.4.2
v16.5.0
v16.6.0
v16.6.1
v16.6.2
v16.7.0
v16.8.0
v16.9.0
v16.9.1
v18.*
v18.0.0
v18.1.0
v18.2.0
v18.3.0
v18.4.0
v18.5.0
v18.6.0
v18.7.0
v18.8.0
v18.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35255.json"