2.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62710

GHSA ID

GHSA-gr7h-xw4f-wh86

EPSS Score

0.02534%

CWE

CWE-337

Published

10/22/2025

Updated

10/23/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62710

CVE-2025-62710: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact

EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data.

Patches

SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.

Credits

Reported by Suraj Gangwar.
Patched by Sam Ottenhoff (Longsight).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62710

CVE-2025-62710:

2.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62710

GHSA ID

GHSA-gr7h-xw4f-wh86

EPSS Score

0.02534%

CWE

CWE-337

Published

10/22/2025

Updated

10/23/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.sakaiproject.kernel:sakai-kernel-impl	maven	<= 23.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security advisory GHSA-gr7h-xw4f-wh86 describes a vulnerability where a predictable pseudo-random number generator (PRNG) is used for generating a critical server-side encryption key. The analysis of the provided patch commit, bde070104b1de01f4a6458dca6d9e0880a0e3c04, confirms this.

The root cause is the use of org.apache.commons.lang3.RandomStringUtils without providing a cryptographically secure random number generator. By default, this utility uses java.util.Random, which is not suitable for security-sensitive applications as its output can be predicted if an attacker has some knowledge of the seed (e.g., the application's start time).

The investigation of the patch revealed two key locations where this insecure method was used:

org.sakaiproject.util.impl.EncryptionUtilityServiceImpl.init(): This is the primary vulnerable function identified in the advisory. It generates the serverSecretKey used for encryption services across the application. The patch replaces the insecure call with one that explicitly uses java.security.SecureRandom, a cryptographically strong PRNG.
org.sakaiproject.component.app.scheduler.jobs.cm.processor.sis.UserProcessor.generatePassword(): A similar insecure pattern was found and fixed in this method, which is responsible for generating user passwords. The use of a predictable PRNG here would result in weak, guessable passwords.

Both functions would appear in a runtime profile during the exploitation or triggering of this vulnerability. The init function would be called during application startup, and generatePassword would be called during user processing tasks. An attacker could target the output of either function (encrypted data or user passwords) to exploit this weakness.

Vulnerable functions

org.sakaiproject.util.impl.EncryptionUtilityServiceImpl.init

kernel/kernel-impl/src/main/java/org/sakaiproject/util/impl/EncryptionUtilityServiceImpl.java

The 'init' method in EncryptionUtilityServiceImpl uses RandomStringUtils with the default java.util.Random to generate a server-wide secret key. This non-cryptographic PRNG is predictable, allowing an attacker who can obtain ciphertexts and approximate the PRNG seed to reconstruct the key and decrypt data.

org.sakaiproject.component.app.scheduler.jobs.cm.processor.sis.UserProcessor.generatePassword

jobscheduler/scheduler-component-shared/src/java/org/sakaiproject/component/app/scheduler/jobs/cm/processor/sis/UserProcessor.java

The 'generatePassword' method in UserProcessor uses RandomStringUtils.randomAlphanumeric, which relies on the insecure java.util.Random by default. This creates predictable passwords for users, which could be guessed by an attacker with knowledge of the system's state.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62710: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact

Patches

Credits

CVE-2025-62710:

2.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2025-62710: Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact

Patches

Credits

2.6

2.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI