Description
A bug in the pseudo-random number generator used by keypair versions up to and including 1.0.3 could allow for weak RSA key generation. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim. We recommend replacing any RSA keys that were generated using keypair version 1.0.
Recommendation
Update the keypair package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.4
- Patched version(s): 1.0.4
References
Related Issues
- modern-async's `forEachSeries` and `forEachLimit` functions do not limit the number of requests - CVE-2021-41167
- Insecure template handling in haml-coffee - CVE-2021-32818
- Insecure password handling vulnerability in Strapi - CVE-2021-46440
- Insecure template handling in Squirrelly - CVE-2021-32819
- Tags:
- npm
- keypair
Anything's wrong? Let us know Last updated on February 01, 2023