First published: Mon Jun 12 2023(Updated: )
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Crypto-js Project Crypto-js | <3.2.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-36732 is a vulnerability in the crypto-js package for Node.js that generates predictable random numbers.
The severity of CVE-2020-36732 is medium, with a CVSS score of 5.3.
CVE-2020-36732 affects versions of the crypto-js package up to and excluding 3.2.1 for Node.js.
To fix CVE-2020-36732, update the crypto-js package to version 3.2.1 or higher.
CWE-330 is a classification for vulnerabilities related to predictable random number generation.