CVE-2022-35255

Advisory lineage Upstream: 0 Downstream: 13

Downstream

ALPINE-CVE-2022-35255 DEBIAN-CVE-2022-35255 DSA-5326-1 OPENSUSE-SU-2024:12370-1 OPENSUSE-SU-2024:12376-1 RHSA-2022:6963

Modified

Published: 05 Dec 2022, 00:00

Last modified:30 Apr 2025, 05:48

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.1 (cve.org)

EPSS Score

1.21% LOW

1% probability -0.40%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

05 Dec 2022, 00:00

Published

Vulnerability first disclosed

30 Apr 2025, 05:48

Last Modified

Vulnerability information updated

Description

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

CVSS Metrics

v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 1.21%• Percentile: 79%

Techniques & Countermeasures

CWE-338•Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Affected Systems

debian•debian_linux
11.0
nodejs•node
≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 15.0, < 15.* | ≥ 17.0, < 17.* | ≥ 18.0, < 18.9.1
nodejs•node.js
≥ 15.0.0, ≤ 15.14.0 | ≥ 16.0.0, ≤ 16.12.0 | ≥ 16.13.0, < 16.17.1 | ≥ 18.0.0, < 18.9.1
siemens•sinec_ins
< 1.0 | 1.0 | 1.0:sp1 | 1.0:sp2