DEBIAN-CVE-2022-35255

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-35255

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-35255.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-35255

Upstream

CVE-2022-35255

Published

2022-12-05T22:15:10Z

Modified

2025-09-30T05:17:12.247250Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

References

https://security-tracker.debian.org/tracker/CVE-2022-35255

Affected packages

Debian:11 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.22.12~dfsg-1~deb11u3

Affected versions

12.*

12.21.0~dfsg-5

12.22.4~dfsg-1

12.22.5~dfsg-1

12.22.5~dfsg-2~11u1

12.22.5~dfsg-2

12.22.5~dfsg-3

12.22.5~dfsg-4

12.22.5~dfsg-5

12.22.5~dfsg-6

12.22.5~dfsg-7

12.22.7~dfsg-1

12.22.7~dfsg-2

12.22.9~dfsg-1

12.22.10~dfsg-1

12.22.10~dfsg-2

12.22.12~dfsg-1~deb11u1

12.22.12~dfsg-1~deb11u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.10.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.10.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.10.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}