CWE-331
AllowedInsufficient Entropy
Abstraction: Base · Status: Draft
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
207 vulnerabilities reference this CWE, most recent first.
GHSA-2M7H-86QQ-FP4V
Vulnerability from github – Published: 2022-06-21 20:03 – Updated: 2022-06-21 20:03Impact
All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. (The specific weak parameters are listed in the References section.)
The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact (potentially granting an attacker admin access to Argo CD). The CVSS for this Security Advisory assumes the worst-case scenario.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.4.1
- v2.3.5
- v2.2.10
- v2.1.16
Workarounds
There are no workarounds. You must upgrade to a patched version to resolve the vulnerability.
References
These are the insufficiently-random parameters:
- (since 0.11.0) The
stateparameter generated by theargocd logincommand for Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy required in the spec. This parameter is a "recommended" part of the Oauth2 flow and helps protect against cross-site request forgery attacks. - (since 1.7.2, when PKCE was added) The
code_verifierparameter generated by theargocd logincommand for Oauth2+PKCE login used a non-cryptographically secure source of entropy. The attacks mitigated by PKCE are complex but have been observed in the wild. - (since 0.11.0) The
stateparameter generated by the Argo CD API server during a UI-initiated Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy required in the spec. This parameter is a "recommended" part of the Oauth2 flow and helps protect against cross-site request forgery attacks. - (since 0.11.0) The
nonceparameter generated by the Argo CD API server during a UI-initiated Oauth2 implicit flow login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide sufficient entropy. This parameter is a required part of the OIDC implicit login flow and helps protect against replay attacks.
Credits
Originally discovered by @jgwest. @jannfis and @crenshaw-dev re-discovered the vulnerability when reviewing notes from ADA Logics' security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.0"
]
}
],
"aliases": [
"CVE-2022-31034"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-21T20:03:23Z",
"nvd_published_at": "2022-06-27T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAll versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. (The specific weak parameters are listed in the References section.)\n\nThe attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact (potentially granting an attacker admin access to Argo CD). The CVSS for this Security Advisory assumes the worst-case scenario.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.4.1\n* v2.3.5\n* v2.2.10\n* v2.1.16\n\n### Workarounds\n\nThere are no workarounds. You must upgrade to a patched version to resolve the vulnerability.\n\n### References\n\nThese are the insufficiently-random parameters:\n\n1. (since 0.11.0) The [`state` parameter](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) generated by the `argocd login` command for Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy [required in the spec](https://datatracker.ietf.org/doc/html/rfc6749#section-10.10). This parameter is a \"recommended\" part of the Oauth2 flow and helps protect against cross-site request forgery attacks.\n2. (since 1.7.2, when PKCE was added) The [`code_verifier` parameter](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1) generated by the `argocd login` command for Oauth2+PKCE login used a non-cryptographically secure source of entropy. The attacks mitigated by PKCE [are complex but have been observed in the wild](https://datatracker.ietf.org/doc/html/rfc7636#section-1).\n3. (since 0.11.0) The [`state` parameter](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) generated by the Argo CD API server during a UI-initiated Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy [required in the spec](https://datatracker.ietf.org/doc/html/rfc6749#section-10.10). This parameter is a \"recommended\" part of the Oauth2 flow and helps protect against cross-site request forgery attacks.\n4. (since 0.11.0) The [`nonce` parameter](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest) generated by the Argo CD API server during a UI-initiated Oauth2 implicit flow login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide sufficient entropy. This parameter is a required part of the OIDC implicit login flow and helps protect against replay attacks.\n\n### Credits\n\nOriginally discovered by @jgwest. @jannfis and @crenshaw-dev re-discovered the vulnerability when reviewing notes from ADA Logics\u0027 security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
"id": "GHSA-2m7h-86qq-fp4v",
"modified": "2022-06-21T20:03:23Z",
"published": "2022-06-21T20:03:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insecure entropy in Argo CD\u0027s PKCE/Oauth2/OIDC params"
}
GHSA-33HF-J99J-JXG5
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-04-04 03:07Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Entropy Weakness
{
"affected": [],
"aliases": [
"CVE-2013-2260"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-04T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Entropy Weakness",
"id": "GHSA-33hf-j99j-jxg5",
"modified": "2024-04-04T03:07:09Z",
"published": "2022-05-24T22:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2260"
},
{
"type": "WEB",
"url": "https://tobtu.com/decryptocat.php"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.9435"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2013/07/10/15"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/61091/info"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-359G-G9H9-MGJR
Vulnerability from github – Published: 2022-06-17 00:01 – Updated: 2022-06-28 00:00CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data.
{
"affected": [],
"aliases": [
"CVE-2022-33756"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-16T22:15:00Z",
"severity": "HIGH"
},
"details": "CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data.",
"id": "GHSA-359g-g9h9-mgjr",
"modified": "2022-06-28T00:00:45Z",
"published": "2022-06-17T00:01:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33756"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3839-6R69-M497
Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2026-01-23 22:51Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xg2h-wx96-xgxr. This link is maintained to preserve external references.
Original Description
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/Masterminds/goutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T18:53:53Z",
"nvd_published_at": "2022-12-27T22:15:00Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xg2h-wx96-xgxr. This link is maintained to preserve external references.\n\n## Original Description\nRandomly-generated alphanumeric strings contain significantly less entropy than expected. The `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.",
"id": "GHSA-3839-6r69-m497",
"modified": "2026-01-23T22:51:27Z",
"published": "2022-12-28T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238"
},
{
"type": "WEB",
"url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/Masterminds/goutils"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: GoUtils\u0027s randomly-generated alphanumeric strings contain significantly less entropy than expected",
"withdrawn": "2026-01-23T22:51:27Z"
}
GHSA-38VV-QGW3-86P8
Vulnerability from github – Published: 2024-09-10 03:31 – Updated: 2024-09-10 03:31An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.
{
"affected": [],
"aliases": [
"CVE-2024-38270"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T02:15:09Z",
"severity": "MODERATE"
},
"details": "An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.",
"id": "GHSA-38vv-qgw3-86p8",
"modified": "2024-09-10T03:31:31Z",
"published": "2024-09-10T03:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38270"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3FMQ-X9Q6-WM39
Vulnerability from github – Published: 2024-05-17 23:27 – Updated: 2024-05-17 23:27random_compat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use openssl_random_pseudo_bytes(), which may result in insufficient entropy and compromise the security of generated random numbers.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "paragonie/random_compat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-17T23:27:19Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "random_compat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use openssl_random_pseudo_bytes(), which may result in insufficient entropy and compromise the security of generated random numbers.",
"id": "GHSA-3fmq-x9q6-wm39",
"modified": "2024-05-17T23:27:19Z",
"published": "2024-05-17T23:27:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/paragonie/random_compat/issues/96"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/paragonie/random_compat/2016-03-16.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/paragonie/random_compat"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "random_compat Uses insecure CSPRNG"
}
GHSA-3FWQ-4GV2-9V92
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-09-30 15:30Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
{
"affected": [],
"aliases": [
"CVE-2024-58040"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:36Z",
"severity": "CRITICAL"
},
"details": "Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.",
"id": "GHSA-3fwq-4gv2-9v92",
"modified": "2025-09-30T15:30:29Z",
"published": "2025-09-30T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58040"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/QWER/Crypt-RandomEncryption-0.01/source/lib/Crypt/RandomEncryption.pm#L33"
},
{
"type": "WEB",
"url": "https://perldoc.perl.org/functions/rand"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QFW-5G24-8PMQ
Vulnerability from github – Published: 2024-10-15 12:30 – Updated: 2025-11-04 00:31The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.
{
"affected": [],
"aliases": [
"CVE-2024-47945"
],
"database_specific": {
"cwe_ids": [
"CWE-331",
"CWE-340"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T10:15:03Z",
"severity": "CRITICAL"
},
"details": "The devices are vulnerable to session hijacking due to insufficient \nentropy in its session ID generation algorithm. The session IDs are \npredictable, with only 32,768 possible values per user, which allows \nattackers to pre-generate valid session IDs, leading to unauthorized \naccess to user sessions. This is not only due to the use of an \n(insecure) rand() function call but also because of missing \ninitialization via srand(). As a result only the PIDs are effectively \nused as seed.",
"id": "GHSA-3qfw-5g24-8pmq",
"modified": "2025-11-04T00:31:34Z",
"published": "2024-10-15T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47945"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/rittaliot"
},
{
"type": "WEB",
"url": "https://www.rittal.com/de-de/products/deep/3124300"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3W3W-PXMM-2W2J
Vulnerability from github – Published: 2023-06-12 03:30 – Updated: 2026-03-16 21:31The crypto-js package 3.2.0 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "crypto-js"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2.0"
]
}
],
"aliases": [
"CVE-2020-36732"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-13T12:44:48Z",
"nvd_published_at": "2023-06-12T02:15:48Z",
"severity": "MODERATE"
},
"details": "The crypto-js package 3.2.0 for Node.js generates random numbers by concatenating the string \"0.\" with an integer, which makes the output more predictable than necessary.",
"id": "GHSA-3w3w-pxmm-2w2j",
"modified": "2026-03-16T21:31:59Z",
"published": "2023-06-12T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36732"
},
{
"type": "WEB",
"url": "https://github.com/brix/crypto-js/issues/254"
},
{
"type": "WEB",
"url": "https://github.com/brix/crypto-js/issues/256"
},
{
"type": "WEB",
"url": "https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b"
},
{
"type": "WEB",
"url": "https://github.com/brix/crypto-js/commit/b405ff597fb3ac76a7bdfbc72dca10ba1079b1d5"
},
{
"type": "WEB",
"url": "https://github.com/brix/crypto-js/commit/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b"
},
{
"type": "PACKAGE",
"url": "https://github.com/brix/crypto-js"
},
{
"type": "WEB",
"url": "https://github.com/brix/crypto-js/compare/3.2.0...3.2.1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230706-0003"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "crypto-js uses insecure random numbers"
}
GHSA-434V-X5QV-PMH6
Vulnerability from github – Published: 2026-03-26 17:58 – Updated: 2026-03-26 17:58The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.
Impact
This bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.
Mitigation
Instead of silently continuing with an all-zero signing key, starting from version 0.0.7 key generation will error in the case of 100 failed attempts at sampling a valid key.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libcrux-ed25519"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-331",
"CWE-392"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T17:58:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.\n\n## Impact\nThis bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.\n\n## Mitigation\nInstead of silently continuing with an all-zero signing key, starting from version `0.0.7` key generation will error in the case of 100 failed attempts at sampling a valid key.",
"id": "GHSA-434v-x5qv-pmh6",
"modified": "2026-03-26T17:58:55Z",
"published": "2026-03-26T17:58:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cryspen/libcrux/pull/1349"
},
{
"type": "PACKAGE",
"url": "https://github.com/cryspen/libcrux"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0075.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "libcrux has All-Zero Key Generation Upon Catastrophic RNG Failure"
}
Mitigation
Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.