CVE-2021-23451: otp-generator before v3.0.0 insecurely generates random one-time passwords
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.36039%
CWE
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
otp-generator | npm | < 3.0.0 | 3.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from using Math.random()
in the 'rand' function to generate random indices for OTP character selection. The commit b27de1ce replaced Math.random()
with crypto.randomInt
, indicating this was the insecure function. Math.random()
produces predictable values unsuitable for security-sensitive operations like OTP generation, enabling brute-force attacks through pattern recognition in the pseudo-random number sequence.