CVE-2022-35255

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-35255
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35255.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-35255
Aliases
Downstream
Related
Published
2022-12-05T22:15:10Z
Modified
2025-10-10T04:07:40.377457Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
40ecd5601193c316e62e9216e8a4259130686208
Fixed
6b06e89c7dfccec6792008302af1cee57649445c

Affected versions

v16.*

v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.16.0
v16.17.0