Miggo Logo

CVE-2015-8851: Insecure Entropy Source - Math.random() in node-uuid

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.64023%
Published
4/16/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-uuidnpm< 1.4.41.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how node-uuid v1.4.4 and earlier handled crypto module detection. The commit diff shows the fix changed from '_global.require('crypto')' to 'require('crypto')', indicating improper module resolution previously caused fallback to Math.random(). The _rng function (responsible for entropy generation) would then use insecure Math.random() when crypto wasn't properly detected. The test case added in the commit verifies crypto usage, confirming this was the vulnerable code path. CWE-331 (Insufficient Entropy) directly maps to this insecure random number generation pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `no**-uui*` *onsist*ntly **ll ***k to usin* `M*t*.r*n*om` *s *n *ntropy sour** inst*** o* `*rypto`, w*i** m*y r*sult in *u*ss**l* UUI*'s. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom *ow no**-uui* v*.*.* *n* **rli*r **n*l** *rypto mo*ul* **t**tion. T** *ommit *i** s*ows t** *ix ***n*** *rom '_*lo**l.r*quir*('*rypto')' to 'r*quir*('*rypto')', in*i**tin* improp*r mo*ul* r*solution pr*viously **us** **ll