CWE-338
AllowedUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
293 vulnerabilities reference this CWE, most recent first.
GHSA-PM4F-PGGW-8JWC
Vulnerability from github – Published: 2023-04-27 06:30 – Updated: 2024-04-04 03:42Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.
{
"affected": [],
"aliases": [
"CVE-2023-31290"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T05:15:08Z",
"severity": "MODERATE"
},
"details": "Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.",
"id": "GHSA-pm4f-pggw-8jwc",
"modified": "2024-04-04T03:42:41Z",
"published": "2023-04-27T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31290"
},
{
"type": "WEB",
"url": "https://blog.ledger.com/Funds-of-every-wallet-created-with-the-Trust-Wallet-browser-extension-could-have-been-stolen"
},
{
"type": "WEB",
"url": "https://community.trustwallet.com/t/browser-extension-wasm-vulnerability-postmortem/750787"
},
{
"type": "WEB",
"url": "https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions/750786"
},
{
"type": "WEB",
"url": "https://github.com/trustwallet/wallet-core/compare/3.1.0...3.1.1"
},
{
"type": "WEB",
"url": "https://twitter.com/TrustWallet/status/1649699428733947906"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMXQ-4HQC-9HR4
Vulnerability from github – Published: 2025-03-24 18:31 – Updated: 2025-03-24 18:31A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.
{
"affected": [],
"aliases": [
"CVE-2021-26091"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-24T16:15:16Z",
"severity": "HIGH"
},
"details": "A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.",
"id": "GHSA-pmxq-4hqc-9hr4",
"modified": "2025-03-24T18:31:01Z",
"published": "2025-03-24T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26091"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-21-031"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PRGJ-H7JQ-7P9H
Vulnerability from github – Published: 2023-08-09 03:30 – Updated: 2024-04-04 06:43The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from "bx seed" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor's position is that there was sufficient documentation advising against "bx seed" but others disagree. NOTE: this was exploited in the wild in June and July 2023.
{
"affected": [],
"aliases": [
"CVE-2023-39910"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-09T03:15:44Z",
"severity": "HIGH"
},
"details": "The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from \"bx seed\" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor\u0027s position is that there was sufficient documentation advising against \"bx seed\" but others disagree. NOTE: this was exploited in the wild in June and July 2023.",
"id": "GHSA-prgj-h7jq-7p9h",
"modified": "2024-04-04T06:43:16Z",
"published": "2023-08-09T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39910"
},
{
"type": "WEB",
"url": "https://github.com/libbitcoin/libbitcoin-explorer/blob/20eba4db9a8a3476949d6fd08a589abda7fde3e3/src/commands/seed.cpp#L44"
},
{
"type": "WEB",
"url": "https://github.com/libbitcoin/libbitcoin-explorer/blob/20eba4db9a8a3476949d6fd08a589abda7fde3e3/src/utility.cpp#L78"
},
{
"type": "WEB",
"url": "https://github.com/libbitcoin/libbitcoin-explorer/wiki/CVE-2023-39910"
},
{
"type": "WEB",
"url": "https://github.com/libbitcoin/libbitcoin-system/blob/a1b777fc51d9c04e0c7a1dec5cc746b82a6afe64/src/crypto/pseudo_random.cpp#L66C12-L78"
},
{
"type": "WEB",
"url": "https://milksad.info/disclosure.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=37054862"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PRR9-FCGF-VPXX
Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-02-27 21:31Apache::SessionX versions through 2.01 for Perl create insecure session id.
Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
{
"affected": [],
"aliases": [
"CVE-2025-40932"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T00:16:55Z",
"severity": "HIGH"
},
"details": "Apache::SessionX versions through 2.01 for Perl create insecure session id.\n\nApache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.",
"id": "GHSA-prr9-fcgf-vpxx",
"modified": "2026-02-27T21:31:21Z",
"published": "2026-02-27T00:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40932"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PRWJ-528C-65R9
Vulnerability from github – Published: 2022-05-17 03:46 – Updated: 2025-10-06 18:31OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.
{
"affected": [],
"aliases": [
"CVE-2014-2362"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-07-24T14:55:00Z",
"severity": "HIGH"
},
"details": "OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.",
"id": "GHSA-prwj-528c-65r9",
"modified": "2025-10-06T18:31:01Z",
"published": "2022-05-17T03:46:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2362"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-202-01a"
},
{
"type": "WEB",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-202-01"
},
{
"type": "WEB",
"url": "http://support.oleumtech.com"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/68797"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/68800"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q3GC-45GM-V55M
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:31wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.
{
"affected": [],
"aliases": [
"CVE-2017-5493"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-15T02:59:00Z",
"severity": "HIGH"
},
"details": "wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.",
"id": "GHSA-q3gc-45gm-v55m",
"modified": "2025-04-20T03:31:14Z",
"published": "2022-05-13T01:46:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5493"
},
{
"type": "WEB",
"url": "https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4"
},
{
"type": "WEB",
"url": "https://codex.wordpress.org/Version_4.7.1"
},
{
"type": "WEB",
"url": "https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/8721"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3779"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/01/14/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95401"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037591"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q3JG-4C82-J4XH
Vulnerability from github – Published: 2018-11-29 21:30 – Updated: 2022-09-14 22:09Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.credhub:spring-credhub-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-15795"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:50:43Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker\u0027s UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.",
"id": "GHSA-q3jg-4c82-j4xh",
"modified": "2022-09-14T22:09:19Z",
"published": "2018-11-29T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15795"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-q3jg-4c82-j4xh"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2018-15795"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Pivotal CredHub Service Broker"
}
GHSA-Q46Q-P96M-RVH8
Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30Starch versions 0.14 and earlier generate session ids insecurely.
The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predicable session ids could allow an attacker to gain access to systems.
{
"affected": [],
"aliases": [
"CVE-2025-40925"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-20T13:15:34Z",
"severity": "CRITICAL"
},
"details": "Starch versions 0.14 and earlier generate session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.",
"id": "GHSA-q46q-p96m-rvh8",
"modified": "2025-09-22T18:30:34Z",
"published": "2025-09-22T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40925"
},
{
"type": "WEB",
"url": "https://github.com/bluefeet/Starch/pull/5"
},
{
"type": "WEB",
"url": "https://github.com/bluefeet/Starch/commit/5573449e64e0660f7ee209d1eab5881d4ccbee3b.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/dist/Starch/source/lib/Starch/Manager.pm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q8FC-V85F-78PW
Vulnerability from github – Published: 2024-05-29 13:09 – Updated: 2024-05-29 13:09The vulnerability pertains to the usage of an insecure random number generator (RNG) in the "stormpath-sdk-php" library. Specifically, the issue is present in the generation of UUID (Universally Unique Identifier) version 4 within the codebase.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "stormpath/sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.19.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-29T13:09:29Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The vulnerability pertains to the usage of an insecure random number generator (RNG) in the \"stormpath-sdk-php\" library. Specifically, the issue is present in the generation of UUID (Universally Unique Identifier) version 4 within the codebase.\n",
"id": "GHSA-q8fc-v85f-78pw",
"modified": "2024-05-29T13:09:29Z",
"published": "2024-05-29T13:09:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/stormpath/stormpath-sdk-php/issues/132"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/stormpath/sdk/2017-11-20.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/stormpath/stormpath-sdk-php"
},
{
"type": "WEB",
"url": "https://github.com/stormpath/stormpath-sdk-php/blob/15aee3007b8aa41c20cdf28fd650b8a2368a7fa9/src/Util/UUID.php#L167-L181"
},
{
"type": "WEB",
"url": "https://github.com/stormpath/stormpath-sdk-php/blob/62698ea98ef89217f932e28cf3e511d39af3b4cf/src/Authc/Api/ApiKeyEncryptionOptions.php#L48-L50"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "stormpath/sdk uses Insecure Random Number Generator"
}
GHSA-Q96M-53G6-X5C4
Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 12:00SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses insecure random number generator program which makes it easy for the attacker to predict future random numbers. This can lead to information disclosure and modification of certain user settings.
{
"affected": [],
"aliases": [
"CVE-2022-41210"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-11T21:15:00Z",
"severity": "MODERATE"
},
"details": "SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses insecure random number generator program which makes it easy for the attacker to predict future random numbers. This can lead to information disclosure and modification of certain user settings.",
"id": "GHSA-q96m-53g6-x5c4",
"modified": "2022-10-13T12:00:27Z",
"published": "2022-10-12T12:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41210"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3248384"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
No CAPEC attack patterns related to this CWE.