Description
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string “0.” with an integer, which makes the output more predictable than necessary.
Recommendation
Update the crypto-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.1
- Patched version(s): 3.2.1
References
- GHSA-3w3w-pxmm-2w2j
- security.snyk.io
- security.netapp.com
- CVE-2020-36732
- CWE-330
- CWE-331
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- pg-promise SQL Injection vulnerability - CVE-2025-29744
- Elliptic allows BER-encoded signatures - CVE-2024-42461
- ejs lacks certain pollution protection - CVE-2024-33883
- Cross-site scripting in Survey Creator - CVE-2024-28635
- Tags:
- npm
- crypto-js
Anything's wrong? Let us know Last updated on January 06, 2025