CVE-2015-8851: Insecure Entropy Source - Math.random() in node-uuid
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64023%
CWE
Published
4/16/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
node-uuid | npm | < 1.4.4 | 1.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how node-uuid v1.4.4 and earlier handled crypto module detection. The commit diff shows the fix changed from '_global.require('crypto')' to 'require('crypto')', indicating improper module resolution previously caused fallback to Math.random(). The _rng function (responsible for entropy generation) would then use insecure Math.random() when crypto wasn't properly detected. The test case added in the commit verifies crypto usage, confirming this was the vulnerable code path. CWE-331 (Insufficient Entropy) directly maps to this insecure random number generation pattern.