Miggo Logo

CVE-2020-36732: crypto-js uses insecure random numbers

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.67841%
Published
6/12/2023
Updated
1/6/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
crypto-jsnpm< 3.2.13.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerable secureRandom function was generating random numbers by creating a string '0.' + 3-byte integer and converting to float. This method limits entropy to 24 bits (3 bytes) and creates predictable float patterns. The patch replaced it with cryptoSecureRandomInt using 4-byte integers directly. The CWE-330/331 mapping confirms insufficient randomness/entropy, and the vulnerability description explicitly references this insecure concatenation pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *rypto-js p**k*** ***or* *.*.* *or No**.js **n*r*t*s r*n*om num**rs *y *on**t*n*tin* t** strin* "*." wit* *n int***r, w*i** m*k*s t** output mor* pr**i*t**l* t**n n***ss*ry.

Reasoning

T** *ommit *i** s*ows t** vuln*r**l* `s**ur*R*n*om` *un*tion w*s **n*r*tin* r*n*om num**rs *y *r**tin* * strin* '*.' + *-*yt* int***r *n* *onv*rtin* to *lo*t. T*is m*t*o* limits *ntropy to ** *its (* *yt*s) *n* *r**t*s pr**i*t**l* *lo*t p*tt*rns. T**