DEBIAN-CVE-2022-35255

Advisory lineage Upstream: 1 Downstream: 1

Upstream

CVE-2022-35255

Downstream

DSA-5326-1

Published: 05 Dec 2022, 22:15

Last modified:28 Apr 2026, 20:24

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

05 Dec 2022, 22:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:24

Last Modified

Vulnerability information updated

Description

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

CVSS Metrics

v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Systems

debian•nodejs
< 12.22.12~dfsg-1~deb11u3 | < 18.10.0+dfsg-1 | < 18.10.0+dfsg-1 | < 18.10.0+dfsg-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2022-35255