Miggo Logo

CVE-2021-23451: otp-generator before v3.0.0 insecurely generates random one-time passwords

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.36039%
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
otp-generatornpm< 3.0.03.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using Math.random() in the 'rand' function to generate random indices for OTP character selection. The commit b27de1ce replaced Math.random() with crypto.randomInt, indicating this was the insecure function. Math.random() produces predictable values unsuitable for security-sensitive operations like OTP generation, enabling brute-force attacks through pattern recognition in the pseudo-random number sequence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** otp-**n*r*tor ***or* *.*.* *r* vuln*r**l* to Ins**ur* R*n*omn*ss *u* to ins**ur* **n*r*tion o* r*n*om on*-tim* p*sswor*s, w*i** m*y *llow * *rut*-*or** *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom usin* `M*t*.r*n*om()` in t** 'r*n*' *un*tion to **n*r*t* r*n*om in*i**s *or OTP ***r**t*r s*l**tion. T** *ommit ******** r*pl**** `M*t*.r*n*om()` wit* `*rypto.r*n*omInt`, in*i**tin* t*is w*s t** ins**ur* *un*tion. `M*t*.r