9.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-h5vj-f7r9-w564

EPSS Score

CWE

CWE-506

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-h5vj-f7r9-w564

GHSA-h5vj-f7r9-w564: Entropy Backdoor in text-qrcode

All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.

Recommendation

Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances of generated entropy must be replaced. This includes things like bitcoin wallets, private keys, encrypted messages, etc.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-h5vj-f7r9-w564

EPSS Score

CWE

CWE-506

Published

9/1/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
text-qrcode	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability explicitly involves malicious modification of the crypto.randomBytes function. While the exact file path in the package isn't specified in the advisory, the technical description confirms the attack vector is the substitution of this critical cryptographic function. The confidence is high because the advisory directly identifies the method being overwritten (randomBytes) and the cryptographic module (crypto) as the target of the backdoor.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `t*xt-qr*o**` *ont*in m*li*ious *o** t**t ov*rwrit*s t** `r*n*om*yt*s` m*t*o* *or t** `*rypto` mo*ul* wit* * *un*tion t**t **n*r*t*s w**k *ntropy. Inst*** o* **n*r*tin* ** *yt*s, t** in***t** r*n*om*yt*s will **n*r*t* * *yt*s o* *ntro

Reasoning

T** *or* vuln*r**ility *xpli*itly involv*s m*li*ious mo*i*i**tion o* t** `*rypto.r*n*om*yt*s` *un*tion. W*il* t** *x**t *il* p*t* in t** p**k*** isn't sp**i*i** in t** **visory, t** t***ni**l **s*ription *on*irms t** *tt**k v**tor is t** su*stitution

9.8

Basic Information

Concerned about an active attack path?

GHSA-h5vj-f7r9-w564: Entropy Backdoor in text-qrcode

Recommendation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI