Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code is using crypto.pseudoRandomBytes, which does not generate cryptographically secure random values. This means random numbers produced by this function can be predicted or reproduced by attackers.
Impact#
If insecure random numbers are used for generating secrets, tokens, or cryptographic keys, attackers may be able to guess these values, leading to compromised authentication, session hijacking, or exposure of sensitive data.