Common Weakness Enumeration

CWE-330

Discouraged

Use of Insufficiently Random Values

Abstraction: Class · Status: Stable

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

445 vulnerabilities reference this CWE, most recent first.

CVE-2025-66511 (GCVE-0-2025-66511)

Vulnerability from cvelistv5 – Published: 2025-12-05 16:42 – Updated: 2025-12-05 16:53
VLAI
Title
Nextcloud Calendar app used predictable proposal participant tokens
Summary
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
Impacted products
Vendor Product Version
nextcloud security-advisories Affected: >= 6.0.0-rc.1, < 6.0.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66511",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T16:53:43.707700Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T16:53:52.674Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.0.0-rc.1, \u003c 6.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-05T16:42:30.236Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27"
        },
        {
          "name": "https://github.com/nextcloud/calendar/pull/7659",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/calendar/pull/7659"
        },
        {
          "name": "https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb"
        },
        {
          "name": "https://hackerone.com/reports/3385434",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/3385434"
        }
      ],
      "source": {
        "advisory": "GHSA-whm3-vv55-gf27",
        "discovery": "UNKNOWN"
      },
      "title": "Nextcloud Calendar app used predictable proposal participant tokens"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66511",
    "datePublished": "2025-12-05T16:42:30.236Z",
    "dateReserved": "2025-12-03T15:28:02.991Z",
    "dateUpdated": "2025-12-05T16:53:52.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64097 (GCVE-0-2025-64097)

Vulnerability from cvelistv5 – Published: 2026-01-22 14:57 – Updated: 2026-01-22 16:16
VLAI
Title
NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force
Summary
NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
Impacted products
Vendor Product Version
nerves-hub nerves_hub_web Affected: >= 1.0.0, < 2.3.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64097",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T16:15:56.743700Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T16:16:06.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nerves_hub_web",
          "vendor": "nerves-hub",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 2.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation,\nfirewalling access to the NervesHub server can help limit exposure until an upgrade is possible."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T14:57:00.362Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m"
        },
        {
          "name": "https://github.com/nerves-hub/nerves_hub_web/pull/2024",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nerves-hub/nerves_hub_web/pull/2024"
        },
        {
          "name": "https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0"
        }
      ],
      "source": {
        "advisory": "GHSA-m9vj-776q-vc8m",
        "discovery": "UNKNOWN"
      },
      "title": "NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64097",
    "datePublished": "2026-01-22T14:57:00.362Z",
    "dateReserved": "2025-10-27T15:26:14.126Z",
    "dateUpdated": "2026-01-22T16:16:06.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-59371 (GCVE-0-2025-59371)

Vulnerability from cvelistv5 – Published: 2025-11-25 07:30 – Updated: 2026-02-26 16:07
VLAI
Summary
An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
URL Tags
https://www.asus.com/security-advisory/ vendor-advisory
Impacted products
Vendor Product Version
ASUS Router Affected: 3.0.0.4_386
Affected: 3.0.0.4_388
Affected: 3.0.0.6_102
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59371",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-26T04:55:22.682121Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:07:35.646Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Router",
          "vendor": "ASUS",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.0.4_386"
            },
            {
              "status": "affected",
              "version": "3.0.0.4_388"
            },
            {
              "status": "affected",
              "version": "3.0.0.6_102"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:asus:router:3.0.0.4_386:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:asus:router:3.0.0.4_388:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:asus:router:3.0.0.6_102:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models.\u003cbr\u003eRefer to the \u0027Security Update for ASUS Router Firmware\u0027 section on the ASUS Security Advisory for more information.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models.\nRefer to the \u0027Security Update for ASUS Router Firmware\u0027 section on the ASUS Security Advisory for more information."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-25T07:30:34.849Z",
        "orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
        "shortName": "ASUS"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.asus.com/security-advisory/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
    "assignerShortName": "ASUS",
    "cveId": "CVE-2025-59371",
    "datePublished": "2025-11-25T07:30:34.849Z",
    "dateReserved": "2025-09-15T01:36:47.358Z",
    "dateUpdated": "2026-02-26T16:07:35.646Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-49198 (GCVE-0-2025-49198)

Vulnerability from cvelistv5 – Published: 2025-06-12 14:24 – Updated: 2025-06-17 19:02
VLAI
Title
Poor quality of randomness in authorization tokens
Summary
The Media Server’s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
URL Tags
https://sick.com/psirt x_SICK PSIRT Website
https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisory
https://www.sick.com/.well-known/csaf/white/2025/… vendor-advisoryx_csaf
Impacted products
Vendor Product Version
SICK AG SICK Media Server Affected: all versions (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49198",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-12T14:39:42.450840Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T19:02:49.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "SICK Media Server",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "all versions",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ccode\u003eThe Media Server\u2019s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens.\u003c/code\u003e"
            }
          ],
          "value": "The Media Server\u2019s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T08:21:10.652Z",
        "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "shortName": "SICK AG"
      },
      "references": [
        {
          "tags": [
            "x_SICK PSIRT Website"
          ],
          "url": "https://sick.com/psirt"
        },
        {
          "tags": [
            "x_SICK Operating Guidelines"
          ],
          "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
        },
        {
          "tags": [
            "x_ICS-CERT recommended practices on Industrial Security"
          ],
          "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
        },
        {
          "tags": [
            "x_CVSS v3.1 Calculator"
          ],
          "url": "https://www.first.org/cvss/calculator/3.1"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
        },
        {
          "tags": [
            "vendor-advisory",
            "x_csaf"
          ],
          "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
        }
      ],
      "source": {
        "advisory": "sca-2025-0007",
        "discovery": "INTERNAL"
      },
      "title": "Poor quality of randomness in authorization tokens",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ccode\u003ePlease make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices.\u003c/code\u003e"
            }
          ],
          "value": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \\\"SICK Operating Guidelines\\\" and \\\"ICS-CERT recommended practices on Industrial Security\\\" could help to implement the general security practices."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
    "assignerShortName": "SICK AG",
    "cveId": "CVE-2025-49198",
    "datePublished": "2025-06-12T14:24:55.991Z",
    "dateReserved": "2025-06-03T05:58:15.616Z",
    "dateUpdated": "2025-06-17T19:02:49.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-43866 (GCVE-0-2025-43866)

Vulnerability from cvelistv5 – Published: 2025-06-12 18:04 – Updated: 2025-06-13 14:06
VLAI
Title
Vantage6 Server JWT secret not cryptographically secure
Summary
vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
Impacted products
Vendor Product Version
vantage6 vantage6 Affected: < 4.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43866",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T14:05:57.250897Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T14:06:06.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vantage6",
          "vendor": "vantage6",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 1.7,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T18:04:57.649Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh"
        }
      ],
      "source": {
        "advisory": "GHSA-m3mq-f375-5vgh",
        "discovery": "UNKNOWN"
      },
      "title": "Vantage6 Server JWT secret not cryptographically secure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-43866",
    "datePublished": "2025-06-12T18:04:57.649Z",
    "dateReserved": "2025-04-17T20:07:08.556Z",
    "dateUpdated": "2025-06-13T14:06:06.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22150 (GCVE-0-2025-22150)

Vulnerability from cvelistv5 – Published: 2025-01-21 17:46 – Updated: 2025-02-12 20:41
VLAI
Title
Undici Uses Insufficiently Random Values
Summary
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
Impacted products
Vendor Product Version
nodejs undici Affected: >= 4.5.0, < 5.28.5
Affected: >= 6.0.0, < 6.21.1
Affected: >= 7.0.0, < 7.2.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22150",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-21T18:34:22.789606Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:22.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undici",
          "vendor": "nodejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.5.0, \u003c 5.28.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.21.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-21T17:46:58.872Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975"
        },
        {
          "name": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0"
        },
        {
          "name": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a"
        },
        {
          "name": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385"
        },
        {
          "name": "https://hackerone.com/reports/2913312",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/2913312"
        },
        {
          "name": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f"
        },
        {
          "name": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
        }
      ],
      "source": {
        "advisory": "GHSA-c76h-2ccp-4975",
        "discovery": "UNKNOWN"
      },
      "title": "Undici Uses Insufficiently Random Values"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-22150",
    "datePublished": "2025-01-21T17:46:58.872Z",
    "dateReserved": "2024-12-30T03:00:33.654Z",
    "dateUpdated": "2025-02-12T20:41:22.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-15574 (GCVE-0-2025-15574)

Vulnerability from cvelistv5 – Published: 2026-02-12 10:58 – Updated: 2026-02-12 15:15
VLAI
Title
Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection
Summary
When connecting to the Solax Cloud MQTT server the username is the "registration number", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the "registration number" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
Credits
Stefan Viehböck, SEC Consult Vulnerability Lab
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-15574",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T15:15:40.976873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-12T15:15:45.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi 3.0",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c3.022.03"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi+LAN",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c1.009.02"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi+4GM",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c1.005.05"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi+LAN 2.0",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c006.06"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Pocket WiFi 4.0",
          "vendor": "SolaX Power",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c003.03"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Stefan Viehb\u00f6ck, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When connecting to the Solax Cloud MQTT server the username is the \"registration number\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \"registration number\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters.\u003cbr\u003e"
            }
          ],
          "value": "When connecting to the Solax Cloud MQTT server the username is the \"registration number\", which is the 10 character string printed on the SolaX Power Pocket device / the QR code on the device. The password is derived from the \"registration number\" using a proprietary XOR/transposition algorithm. Attackers with the knowledge of the registration numbers can connect to the MQTT server and impersonate the dongle / inverters."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T10:58:29.373Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "url": "https://r.sec-consult.com/solax"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vendor provides patches for the affected Pocket models which can be obtained throw their customer\u0027s Solax Cloud account and using the Pocket firmware upgrade function there.\u003cbr\u003e\u003cbr\u003eAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\u003cbr\u003e1. Pocket WiFi 3.0 \u2013 (3.022.03)\u003cbr\u003e2. Pocket WiFi+LAN \u2013 (1.009.02)\u003cbr\u003e3. Pocket WiFi+4GM \u2013 (1.005.05)\u003cbr\u003e4. Pocket WiFi+LAN 2.0 \u2013 (006.06)\u003cbr\u003e5. Pocket WiFi 4.0 \u2013 (003.03)\u003cbr\u003e\u003cbr\u003eThe vendor provided the following further information regarding EV Charger and Adapter Box:\u003cbr\u003e1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\u003cbr\u003e2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature.\u003cbr\u003e"
            }
          ],
          "value": "The vendor provides patches for the affected Pocket models which can be obtained throw their customer\u0027s Solax Cloud account and using the Pocket firmware upgrade function there.\n\nAs of February 10, 2026, the firmware versions for each affected Pocket model are as follows according to the vendor:\n1. Pocket WiFi 3.0 \u2013 (3.022.03)\n2. Pocket WiFi+LAN \u2013 (1.009.02)\n3. Pocket WiFi+4GM \u2013 (1.005.05)\n4. Pocket WiFi+LAN 2.0 \u2013 (006.06)\n5. Pocket WiFi 4.0 \u2013 (003.03)\n\nThe vendor provided the following further information regarding EV Charger and Adapter Box:\n1. EV Charger: The WiFi module firmware supports digital signature, but only one-way authentication is implemented.\n2. Adapter Box: The WiFi module firmware supports two-way authentication and digital signature."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-15574",
    "datePublished": "2026-02-12T10:58:29.373Z",
    "dateReserved": "2026-02-09T09:43:51.017Z",
    "dateUpdated": "2026-02-12T15:15:45.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13955 (GCVE-0-2025-13955)

Vulnerability from cvelistv5 – Published: 2025-12-10 08:30 – Updated: 2026-05-28 12:30
VLAI
Title
Predictable Default Wi-Fi Password in EZCast Pro II Dongle
Summary
Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II before version 1.17478.177 allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
References
Impacted products
Vendor Product Version
EZCast EZCast Pro II Affected: 0 , < 1.17478.177 (custom)
Create a notification for this product.
Credits
Swiss National Test Institute for Cybersecurity NTC Swiss National Cybersecurity Centre
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13955",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-10T14:51:15.511995Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-10T14:52:44.905Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "EZCast Pro II",
          "vendor": "EZCast",
          "versions": [
            {
              "lessThan": "1.17478.177",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Swiss National Test Institute for Cybersecurity NTC"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Swiss National Cybersecurity Centre"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Predictable default Wi-Fi Password in Access Point functionality in\u0026nbsp;EZCast Pro II\u0026nbsp;before version 1.17478.177\u0026nbsp;allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers"
            }
          ],
          "value": "Predictable default Wi-Fi Password in Access Point functionality in\u00a0EZCast Pro II\u00a0before version 1.17478.177\u00a0allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/AU:Y/RE:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T12:30:10.125Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://www.nimbletech.com.tw/index.php/release-note/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade the firmware to version 1.17478.177 or later."
            }
          ],
          "value": "Upgrade the firmware to version 1.17478.177 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Predictable Default Wi-Fi Password in EZCast Pro II Dongle",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Until a firmware patch is made available by the vendor, all users are advised to change the default password in the management UI."
            }
          ],
          "value": "Until a firmware patch is made available by the vendor, all users are advised to change the default password in the management UI."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2025-13955",
    "datePublished": "2025-12-10T08:30:36.364Z",
    "dateReserved": "2025-12-03T13:26:04.173Z",
    "dateUpdated": "2026-05-28T12:30:10.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13470 (GCVE-0-2025-13470)

Vulnerability from cvelistv5 – Published: 2025-11-21 17:05 – Updated: 2025-11-21 17:35
VLAI
Title
RNP 0.18.0 Vulnerable PKESK session keys
Summary
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected. Root cause: Vulnerable session key buffer used in PKESK packet generation. The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization logic inside `encrypted_build_skesk()` only randomized the key for the SKESK path and omitted it for the PKESK path.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
Impacted products
Vendor Product Version
Ribose RNP Affected: 0.18.0
Create a notification for this product.
Date Public
2025-11-21 00:00
Credits
Johannes Roth (MTG AG)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13470",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-21T17:35:25.938705Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-21T17:35:33.645Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RNP",
          "repo": "https://github.com/rnpgp/rnp",
          "vendor": "Ribose",
          "versions": [
            {
              "status": "affected",
              "version": "0.18.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Johannes Roth (MTG AG)"
        }
      ],
      "datePublic": "2025-11-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cp\u003eIn RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.\u003c/p\u003e\u003cp\u003eAny data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.\u003cbr\u003e\u003cbr\u003eThe vulnerability affects only public key encryption (PKESK packets).\u0026nbsp; Passphrase-based encryption (SKESK packets) is not affected.\u003cbr\u003e\u003cbr\u003eRoot cause: Vulnerable session key buffer used in PKESK packet generation.\u003cbr\u003e\u003c/p\u003e\n\u003cp\u003eThe defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path.\u003c/p\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.\n\nAny data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.\n\nThe vulnerability affects only public key encryption (PKESK packets).\u00a0 Passphrase-based encryption (SKESK packets) is not affected.\n\nRoot cause: Vulnerable session key buffer used in PKESK packet generation.\n\n\n\nThe defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eDecryption succeeds for affected ciphertext using an all-zero session key.\u003c/li\u003e\u003cli\u003eAttack requires only possession of the ciphertext.\u003c/li\u003e\u003cli\u003ePrivate keys are not exposed.\u0026nbsp; Vulnerability is limited to session key generation path.\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "*  Decryption succeeds for affected ciphertext using an all-zero session key.\n  *  Attack requires only possession of the ciphertext.\n  *  Private keys are not exposed.\u00a0 Vulnerability is limited to session key generation path."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Confidentiality issue for PKESK-encrypted data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:Y/RE:H/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-21T17:17:44.765Z",
        "orgId": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3",
        "shortName": "Ribose"
      },
      "references": [
        {
          "name": "Introducing commit",
          "tags": [
            "related"
          ],
          "url": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a"
        },
        {
          "name": "Ubuntu package",
          "tags": [
            "x_downstream-package"
          ],
          "url": "https://launchpad.net/ubuntu/+source/rnp"
        },
        {
          "name": "Arch Linux AUR package",
          "tags": [
            "x_downstream-package"
          ],
          "url": "https://aur.archlinux.org/packages/rnp"
        },
        {
          "name": "Bugzilla report (may become public)",
          "tags": [
            "x_downstream_package"
          ],
          "url": "https://packages.gentoo.org/packages/dev-util/librnp"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415863"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://access.redhat.com/security/cve/cve-2025-13402"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://open.ribose.com/advisories/ra-2025-11-20/"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/rnpgp/rnp/releases/tag/v0.18.1"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cb\u003eFor standalone RNP users:\u003c/b\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eUpgrade to RNP 0.18.1 when available.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eFor distributions that have packaged 0.18.0:\u003c/b\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003ePlease update to 0.18.1 when released, or consider providing 0.17.1 as an\u003cbr\u003einterim option.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eFor Thunderbird packages using system RNP:\u003c/b\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eIf your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eFor all other users:\u003c/b\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eUsers who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "For standalone RNP users:\n\n\nUpgrade to RNP 0.18.1 when available.\n\nFor distributions that have packaged 0.18.0:\n\n\nPlease update to 0.18.1 when released, or consider providing 0.17.1 as an\ninterim option.\n\nFor Thunderbird packages using system RNP:\n\n\nIf your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.\n\nFor all other users:\n\n\nUsers who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-19T00:00:00.000Z",
          "value": "RNP 0.18.0 released (vulnerability introduced)."
        },
        {
          "lang": "en",
          "time": "2025-11-07T00:00:00.000Z",
          "value": "Vulnerability discovered and reported by Johannes Roth (MTG AG)."
        },
        {
          "lang": "en",
          "time": "2025-11-19T00:00:00.000Z",
          "value": "CVE-2025-13402 assigned by Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-11-20T00:00:00.000Z",
          "value": "CVE-2025-13470 assigned by Ribose/MITRE."
        },
        {
          "lang": "en",
          "time": "2025-11-20T00:00:00.000Z",
          "value": "Fix developed and tested."
        },
        {
          "lang": "en",
          "time": "2025-11-21T00:00:00.000Z",
          "value": "Planned release date for RNP 0.18.1."
        },
        {
          "lang": "en",
          "time": "2025-11-21T00:00:00.000Z",
          "value": "Public disclosure (same day as release)."
        }
      ],
      "title": "RNP 0.18.0 Vulnerable PKESK session keys",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No workaround.\u0026nbsp; All PKESK-encrypted ciphertext produced with 0.18.0 is compromised.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "No workaround.\u00a0 All PKESK-encrypted ciphertext produced with 0.18.0 is compromised."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3",
    "assignerShortName": "Ribose",
    "cveId": "CVE-2025-13470",
    "datePublished": "2025-11-21T17:05:15.683Z",
    "dateReserved": "2025-11-20T08:36:59.270Z",
    "dateUpdated": "2025-11-21T17:35:33.645Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13353 (GCVE-0-2025-13353)

Vulnerability from cvelistv5 – Published: 2025-12-02 11:03 – Updated: 2025-12-02 16:54
VLAI
Title
gokey allows secret recovery from a seed file without the master password
Summary
In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-330 - Use of Insufficiently Random Values
Assigner
Impacted products
Vendor Product Version
Cloudflare gokey Affected: 0.1.0 , < 0.2.0 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13353",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T16:50:27.674442Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T16:54:23.544Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "github.com/cloudflare/gokey",
          "product": "gokey",
          "repo": "https://github.com/cloudflare/gokey",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "0.2.0",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\n  \u003cdiv\u003e\n    \u003cp\u003eIn gokey versions \u003ccode\u003e\u0026lt;0.2.0\u003c/code\u003e,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.\u003c/p\u003e\n\u003cp\u003eThis issue has been fixed in gokey version \u003ccode\u003e0.2.0\u003c/code\u003e. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the \u003ccode\u003e-s\u003c/code\u003e option). Even if the input seed file stays the same, version \u003ccode\u003e0.2.0\u003c/code\u003e gokey will generate different secrets.\u003c/p\u003e\n\u003ch3\u003eImpact\u003c/h3\u003e\n\u003cp\u003eThis vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the \u003ccode\u003e-s\u003c/code\u003e option). Keys/secrets generated just from the master password (without the \u003ccode\u003e-s\u003c/code\u003e\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ekeys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused\u003c/li\u003e\n\u003cli\u003ea malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003ePatches\u003c/h3\u003e\n\u003cp\u003eThe code logic bug has been fixed in gokey version \u003ccode\u003e0.2.0\u003c/code\u003e\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.\u003c/p\u003e\n\u003ch3\u003eSystem secret rotation guidance\u003c/h3\u003e\n\u003cp\u003eIt is advised for users to regenerate passwords/secrets using the patched version of gokey (\u003ccode\u003e0.2.0\u003c/code\u003e\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.\u003c/p\u003e\n\u003ch4\u003eSystems that do not require the old password/secret for rotation\u003c/h4\u003e\n\u003cp\u003eSuch systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user\u0027s email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.\u003c/p\u003e\n\u003ch4\u003eSystems that require the old password/secret for rotation\u003c/h4\u003e\n\u003cp\u003eSuch systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003etemporarily download \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/gokey/releases/tag/v0.1.3\"\u003egokey version \u003ccode\u003e0.1.3\u003c/code\u003e\u003c/a\u003e for their respective operating system to recover the old password\u003c/li\u003e\n\u003cli\u003euse gokey version \u003ccode\u003e0.2.0\u003c/code\u003e or above to generate the new password\u003c/li\u003e\n\u003cli\u003epopulate the system provided password rotation form\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eSystems that allow multiple credentials for the same account to be provisioned\u003c/h4\u003e\n\u003cp\u003eSuch systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003egenerate a new secret/key/credential using gokey version \u003ccode\u003e0.2.0\u003c/code\u003e or above\u003c/li\u003e\n\u003cli\u003eprovision the new secret/key/credential in addition to the existing credential on the system\u003c/li\u003e\n\u003cli\u003everify that the access or required system operation is still possible with the new secret/key/credential\u003c/li\u003e\n\u003cli\u003erevoke authorization for the existing/old credential from the system\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eCredit\u003c/h3\u003e\n\u003cp\u003eThis vulnerability was found by Th\u00e9o Cusnir (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hackerone.com/mister_mime?type=user\"\u003e@mister_mime\u003c/a\u003e) and responsibly disclosed through Cloudflare\u0027s bug bounty program.\u003c/p\u003e\n  \u003c/div\u003e\n\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "In gokey versions \u003c0.2.0,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.\n\n\nThis issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.\n\n\nImpact\nThis vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:\n\n\n\n  *  keys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused\n\n  *  a malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password\n\n\n\n\nPatches\nThe code logic bug has been fixed in gokey version 0.2.0\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.\n\n\nSystem secret rotation guidance\nIt is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.\n\n\nSystems that do not require the old password/secret for rotation\nSuch systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user\u0027s email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.\n\n\nSystems that require the old password/secret for rotation\nSuch systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:\n\n\n\n  *  temporarily download  gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3  for their respective operating system to recover the old password\n\n  *  use gokey version 0.2.0 or above to generate the new password\n\n  *  populate the system provided password rotation form\n\n\n\n\nSystems that allow multiple credentials for the same account to be provisioned\nSuch systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:\n\n\n\n  *  generate a new secret/key/credential using gokey version 0.2.0 or above\n\n  *  provision the new secret/key/credential in addition to the existing credential on the system\n\n  *  verify that the access or required system operation is still possible with the new secret/key/credential\n\n  *  revoke authorization for the existing/old credential from the system\n\n\n\n\nCredit\nThis vulnerability was found by Th\u00e9o Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare\u0027s bug bounty program."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330 Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-02T11:03:21.832Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxm"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "gokey allows secret recovery from a seed file without the master password",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2025-13353",
    "datePublished": "2025-12-02T11:03:21.832Z",
    "dateReserved": "2025-11-18T11:21:27.669Z",
    "dateUpdated": "2025-12-02T16:54:23.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design
  • Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
  • In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
  • Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation
Implementation

Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.

Mitigation MIT-2
Architecture and Design Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-485: Signature Spoofing by Key Recreation

An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.