Description
The crypto-js package 3.2.0 for Node.js generates random numbers by concatenating the string “0.” with an integer, which makes the output more predictable than necessary.
Recommendation
Update the crypto-js package to the latest compatible version. Followings are version details:
- Affected version(s): = 3.2.0
- Patched version(s): 3.2.1
References
- GHSA-3w3w-pxmm-2w2j
- security.snyk.io
- security.netapp.com
- CVE-2020-36732
- CWE-330
- CWE-331
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- Insecure serialization leading to RCE in serialize-javascript - CVE-2020-7660
- Expo on iOS is insecure due incorrect security attribute application - CVE-2020-24653
- Elliptic Uses a Broken or Risky Cryptographic Algorithm - CVE-2020-28498
- Insecure random number generation in keypair - CVE-2021-41117
- Tags:
- npm
- crypto-js
Anything's wrong? Let us know Last updated on March 16, 2026